{"id":"MAL-2026-5526","summary":"Malicious code in chai-check-error (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8)\nchai-check-error@2.1.6 impersonates the legitimate chaijs/check-error utility (copied README, author metadata, repository URL, and exported API surface) and adds a malicious payload. package.json declares `\"postinstall\": \"node index.js\"`, and index.js calls `_initMsgCache()` at module top level so the same code path also fires on every `require()`. _initMsgCache derives an AES-256-CBC key/IV from a hardcoded byte array `_d` mixed via a `_sbox(0x9E3779B1,...)` routine, decrypts a 165-byte ciphertext into an HTTPS URL, fetches that URL with `require('https').get(...)`, parses the JSON response, and executes the `cookie` field as JavaScript through `new Function('require', mod)(require)`. The destination URL is intentionally obfuscated and the surrounding comments frame the routine as a benign \"internal message cache\" / \"locale-aware message formatting\" feature, but `getMessage` never reads `_msgCache` — the cache framing is cover-story. Any developer who installs this package — whether intentionally or by confusing it with chai's check-error — runs arbitrary attacker-controlled JavaScript under their Node process at install time and again on every import.\n","modified":"2026-06-12T20:01:48.281088609Z","published":"2026-06-10T18:46:09Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005301","modified_time":"2026-06-10T18:46:09Z","source":"amazon-inspector","sha256":"6729e2583827bdee33f9ebcd86d9de182db68c10bf9534bf053f370fa12d7ffc","versions":["2.1.3"],"import_time":"2026-06-10T19:23:49.306590788Z"},{"id":"IN-MAL-2026-005300","modified_time":"2026-06-10T18:46:09Z","source":"amazon-inspector","sha256":"fd1d58d0dff4bf33802ce6bf775a5de16f3b9c726a3bcc9b7a271ac5d25c01f3","versions":["2.1.3"],"import_time":"2026-06-10T19:23:49.160543263Z"},{"sha256":"72cdc7381ca318201e855e9d562385b4b4e5f18fdd3d4eaf6909f66f544dade4","modified_time":"2026-06-11T07:17:01Z","source":"amazon-inspector","id":"IN-MAL-2026-005685","versions":["2.1.5"],"import_time":"2026-06-11T07:49:40.855961339Z"},{"import_time":"2026-06-11T07:49:40.993882757Z","modified_time":"2026-06-11T07:17:01Z","source":"amazon-inspector","sha256":"ef56ad75d91a0e619a82488c117c9b46a21630367ccd7186c66285021b071fde","versions":["2.1.5"],"id":"IN-MAL-2026-005686"},{"import_time":"2026-06-12T19:43:35.366150287Z","modified_time":"2026-06-12T19:02:20Z","source":"amazon-inspector","sha256":"6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8","versions":["2.1.6"],"id":"IN-MAL-2026-005806"},{"id":"IN-MAL-2026-005807","modified_time":"2026-06-12T19:02:20Z","import_time":"2026-06-12T19:43:35.482583617Z","sha256":"b7b136bc4142a0c8e772db77fa7002ae8c5ec90fd55535f70f82b69b263eff09","versions":["2.1.6"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-check-error/v/2.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-check-error/v/2.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-check-error/v/2.1.6"}],"affected":[{"package":{"name":"chai-check-error","ecosystem":"npm","purl":"pkg:npm/chai-check-error"},"versions":["2.1.3","2.1.5","2.1.6"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"bca1654672b6b26388fba060314b785a9726722db1bda1c5d39d04b02fc5d58db32fc9","sha256":"25d4a82e65a4cf6e25220a2d4eff26d30c082a7bd09325188e45bd55825258f8","path":"index.js"},{"tlsh":"862179a2c9654c532fd818a59c5f1042b2608967ce94fd4c33bb914c9b6d12f02ff65c","sha256":"469d96bedb0870a02c4ea5ea80bf3d5ff1f912b3d0c0732c146a18420978c252","path":"package.json"}],"package_integrity":[{"filename":"chai-check-error-2.1.3.tgz","hashes":{"sha1":"c9a2935110fe1e931afba78fc59521021f77569b","sha512_sri":"sha512-G0X3BfKyI4VQX+enDCmIxJRG2e0bkYf0o2WP4hY0ye7dEsPPoWE38A+iz4yDj28qO8HPKrs7Gi3ltiOYoACX5Q=="}}],"domains":["jsonkeeper.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-check-error/MAL-2026-5526.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}