MAL-2026-5527

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/check-error-util/MAL-2026-5527.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5527

Published

2026-06-10T18:44:20Z

Modified

2026-06-11T05:46:34.225403817Z

Summary

Malicious code in check-error-util (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e)

On require/import, index.js executes a top-level resolveConfig() that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it, fetches the URL over HTTPS, and runs the JSON cookie field of the response as JavaScript via new Function('require', cookie)(require). This grants an attacker arbitrary Node code execution with full require access on any machine that loads the package. The URL is hidden behind a layered XOR + AES blob (getHashAddress → Buffer.from(...,'hex') → createDecipheriv('aes-256-cbc', key, iv)) with cover-story comments ('S-box substitution', 'address pipeline', 'service layer hydration') intended to evade static review — there is no legitimate reason for an error-comparison utility to ship encrypted remote URLs. The package also impersonates the legitimate chaijs check-error library: package.json copies the upstream author Jake Luer jake@alogicalparadox.com, the chaijs contributor list, and a repository URL pointing at chaijs/check-error, while the published name is check-error-util and the upstream loader code is absent from the real package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005298",
            "import_time": "2026-06-10T19:23:48.994911165Z",
            "sha256": "4354c90de765b6812756121ed6ceb8784ca5a2d6e40f6aa97391e5014c35a038",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:44:20Z",
            "versions": [
                "2.1.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005299",
            "import_time": "2026-06-10T19:23:49.056021617Z",
            "sha256": "91cb4f3b95eca0a9d180e159ac28ce3cc697c771229f9447cd1a293ce9cff57d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:44:21Z",
            "versions": [
                "2.1.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005537",
            "import_time": "2026-06-11T05:41:04.672235705Z",
            "sha256": "24cc0eadac07d953a8fb2335bb848dd379a08855a014e29c3766b3f56a36fd46",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:39Z",
            "versions": [
                "2.1.6"
            ]
        },
        {
            "id": "IN-MAL-2026-005536",
            "import_time": "2026-06-11T05:41:04.576796101Z",
            "sha256": "39efbd4fb0ca7ceb96ef1b0b8852b3a01f063534aa884d9b41b9c0e9807e7342",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:38Z",
            "versions": [
                "2.1.5"
            ]
        },
        {
            "id": "IN-MAL-2026-005539",
            "import_time": "2026-06-11T05:41:04.921272413Z",
            "sha256": "61a7e6a668d91a00d8a37aa73e538cf778fea022a19ba28e0c9d373a5946df05",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:40Z",
            "versions": [
                "2.1.7"
            ]
        },
        {
            "id": "IN-MAL-2026-005540",
            "import_time": "2026-06-11T05:41:05.034928196Z",
            "sha256": "6836fe64dbf323ab80a8ac08c2c1a257f3402082d7bd05fc76c5c549defe67d3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:41Z",
            "versions": [
                "2.1.6"
            ]
        },
        {
            "id": "IN-MAL-2026-005535",
            "versions": [
                "2.1.7"
            ],
            "sha256": "7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:38Z",
            "import_time": "2026-06-11T05:41:04.482931003Z"
        },
        {
            "id": "IN-MAL-2026-005533",
            "import_time": "2026-06-11T05:41:04.286605008Z",
            "sha256": "e087c7abebf26095695a247b30a2ddda639f3c774ccda3cecbac7037fe454728",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:37Z",
            "versions": [
                "2.1.3"
            ]
        },
        {
            "id": "IN-MAL-2026-005538",
            "versions": [
                "2.1.5"
            ],
            "sha256": "3dbf726d1dec5d0add89d8c3499c5686f59d219140872b727a1813b170ef39d3",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:40Z",
            "import_time": "2026-06-11T05:41:04.845825499Z"
        },
        {
            "id": "IN-MAL-2026-005541",
            "import_time": "2026-06-11T05:41:05.13232345Z",
            "sha256": "64f3a618c56463b3da94d7ad2bfcd9f241ee3db8c6c7e8c49a82314dbfd860ad",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:45Z",
            "versions": [
                "2.1.8"
            ]
        },
        {
            "id": "IN-MAL-2026-005534",
            "versions": [
                "2.1.3"
            ],
            "sha256": "75e9f3a5c9df870e5f4f5accad4503ebaf5e542d183017e9ef79fddc3ecb942b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T05:03:37Z",
            "import_time": "2026-06-11T05:41:04.388272913Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / check-error-util

Package

Name: check-error-util; View open source insights on deps.dev
Purl: pkg:npm/check-error-util

Affected ranges

Affected versions

2.*

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "1abef0e70c5337e9db4c53e70d3f28e2769448d0674f5a0b87c94bf005257f02",
            "tlsh": "3cc1454673b9b26248bb94e1214bb46b5232b12f7079b1c5e28c44b16fc5d54ef32fd8"
        },
        {
            "path": "package.json",
            "sha256": "5ec8c5e22f03394e453df05626182d3f7f208bd458a351dba1c5e1cbebd4eb2e",
            "tlsh": "f12176a2ca664c532fd818a6ac4f1042b2608857ce94fc4c73aba10c9b6d12f02ff65c"
        }
    ],
    "package_integrity": [
        {
            "filename": "check-error-util-2.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-sJlHoqWv+wFgl31J8Q7MlfmD8Tyfd5YNx5ftbTSq8RC2EU5DP6w3tqSlkV7myLz0uE9N6XD+AMqF+BUjq5PdNw==",
                "sha1": "d54be74bd04ba6fce8d42da4b4b1fe877d3fa329"
            }
        }
    ],
    "domains": [
        "jsonkeeper.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/check-error-util/MAL-2026-5527.json"