MAL-2026-5526

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-check-error/MAL-2026-5526.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5526

Published

2026-06-10T18:46:09Z

Modified

2026-06-12T20:01:48.281088609Z

Summary

Malicious code in chai-check-error (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8)

chai-check-error@2.1.6 impersonates the legitimate chaijs/check-error utility (copied README, author metadata, repository URL, and exported API surface) and adds a malicious payload. package.json declares "postinstall": "node index.js", and index.js calls _initMsgCache() at module top level so the same code path also fires on every require(). _initMsgCache derives an AES-256-CBC key/IV from a hardcoded byte array _d mixed via a _sbox(0x9E3779B1,...) routine, decrypts a 165-byte ciphertext into an HTTPS URL, fetches that URL with require('https').get(...), parses the JSON response, and executes the cookie field as JavaScript through new Function('require', mod)(require). The destination URL is intentionally obfuscated and the surrounding comments frame the routine as a benign "internal message cache" / "locale-aware message formatting" feature, but getMessage never reads _msgCache — the cache framing is cover-story. Any developer who installs this package — whether intentionally or by confusing it with chai's check-error — runs arbitrary attacker-controlled JavaScript under their Node process at install time and again on every import.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005301",
            "import_time": "2026-06-10T19:23:49.306590788Z",
            "sha256": "6729e2583827bdee33f9ebcd86d9de182db68c10bf9534bf053f370fa12d7ffc",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:46:09Z",
            "versions": [
                "2.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005300",
            "import_time": "2026-06-10T19:23:49.160543263Z",
            "sha256": "fd1d58d0dff4bf33802ce6bf775a5de16f3b9c726a3bcc9b7a271ac5d25c01f3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:46:09Z",
            "versions": [
                "2.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005685",
            "versions": [
                "2.1.5"
            ],
            "sha256": "72cdc7381ca318201e855e9d562385b4b4e5f18fdd3d4eaf6909f66f544dade4",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:17:01Z",
            "import_time": "2026-06-11T07:49:40.855961339Z"
        },
        {
            "id": "IN-MAL-2026-005686",
            "versions": [
                "2.1.5"
            ],
            "sha256": "ef56ad75d91a0e619a82488c117c9b46a21630367ccd7186c66285021b071fde",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:17:01Z",
            "import_time": "2026-06-11T07:49:40.993882757Z"
        },
        {
            "id": "IN-MAL-2026-005806",
            "versions": [
                "2.1.6"
            ],
            "sha256": "6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:02:20Z",
            "import_time": "2026-06-12T19:43:35.366150287Z"
        },
        {
            "id": "IN-MAL-2026-005807",
            "import_time": "2026-06-12T19:43:35.482583617Z",
            "sha256": "b7b136bc4142a0c8e772db77fa7002ae8c5ec90fd55535f70f82b69b263eff09",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:02:20Z",
            "versions": [
                "2.1.6"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-check-error

Package

Name: chai-check-error; View open source insights on deps.dev
Purl: pkg:npm/chai-check-error

Affected ranges

Affected versions

2.*

2.1.3

2.1.5

2.1.6

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "25d4a82e65a4cf6e25220a2d4eff26d30c082a7bd09325188e45bd55825258f8",
            "tlsh": "bca1654672b6b26388fba060314b785a9726722db1bda1c5d39d04b02fc5d58db32fc9"
        },
        {
            "path": "package.json",
            "sha256": "469d96bedb0870a02c4ea5ea80bf3d5ff1f912b3d0c0732c146a18420978c252",
            "tlsh": "862179a2c9654c532fd818a59c5f1042b2608967ce94fd4c33bb914c9b6d12f02ff65c"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-check-error-2.1.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-G0X3BfKyI4VQX+enDCmIxJRG2e0bkYf0o2WP4hY0ye7dEsPPoWE38A+iz4yDj28qO8HPKrs7Gi3ltiOYoACX5Q==",
                "sha1": "c9a2935110fe1e931afba78fc59521021f77569b"
            }
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-check-error/MAL-2026-5526.json"