npm · Malicious package advisory
Malwarecheck-error-util
MAL-2026-5527
Malicious code in check-error-util (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e)
On require/import, index.js executes a top-level resolveConfig() that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it, fetches the URL over HTTPS, and runs the JSON `cookie` field of the response as JavaScript via `new Function('require', cookie)(require)`. This grants an attacker arbitrary Node code execution with full `require` access on any machine that loads the package. The URL is hidden behind a layered XOR + AES blob (getHashAddress → Buffer.from(...,'hex') → createDecipheriv('aes-256-cbc', key, iv)) with cover-story comments ('S-box substitution', 'address pipeline', 'service layer hydration') intended to evade static review — there is no legitimate reason for an error-comparison utility to ship encrypted remote URLs. The package also impersonates the legitimate chaijs `check-error` library: package.json copies the upstream author Jake Luer <jake@alogicalparadox.com>, the chaijs contributor list, and a repository URL pointing at chaijs/check-error, while the published name is `check-error-util` and the upstream loader code is absent from the real package.
Compromised versions (6)
- 2.1.4
- 2.1.6
- 2.1.5
- 2.1.7
- 2.1.3
- 2.1.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.