-= Per source details. Do not edit below this line.=-
On require(), index.js invokes _initMsgCache() at module top level. The function derives an AES-256-CBC key, IV, and ciphertext from a hardcoded 161-byte array (index.js:62) processed through an LCG-derived sbox, decrypts a URL, performs an https.get to that URL, parses the JSON response, and executes the response's cookie field via new Function('require', mod)(require) (index.js:155). This is a fully attacker-controlled remote code execution payload that runs on every consumer's machine the moment the package is imported, with full require access in the Node process. The package additionally impersonates the legitimate chai utility check-error — it copies chai's author metadata, description, the chaijs/check-error repository URL, and the original API surface (compatibleInstance, compatibleConstructor, compatibleMessage, getMessage, getConstructorName), with the dropper grafted onto the genuine sources. Unused runtime dependencies (axios, form-data, socket.io-client) are declared as further cover. The URL obfuscation (byte array + sbox XOR + per-index subtraction + bit rotation + AES-256-CBC) exists solely to hide the C2 endpoint from scanners — legitimate packages do not encrypt their network destinations.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"sha256": "d89ef9716015743217a9492f4b4469459da701a1b6198851f1527033f1e5c9ae",
"id": "IN-MAL-2026-007360",
"source": "amazon-inspector",
"import_time": "2026-06-23T20:48:31.074184072Z",
"modified_time": "2026-06-23T20:19:57Z",
"versions": [
"2.1.7"
]
},
{
"modified_time": "2026-06-23T20:19:56Z",
"id": "IN-MAL-2026-007359",
"source": "amazon-inspector",
"import_time": "2026-06-23T20:48:30.985729906Z",
"sha256": "e993c042cdc389f0889fe65e200ecfde7a0c9e18cb3ccfce76c3382c1379aead",
"versions": [
"2.1.6"
]
},
{
"modified_time": "2026-07-06T18:57:43Z",
"id": "GHSA-fphr-9c8m-c35g",
"source": "ghsa-malware",
"import_time": "2026-07-06T19:53:47.954449865Z",
"sha256": "6a94fb4ad979c29d1d9bccd7289e92e821fb11a15d3e072d1f62162d321cdae1",
"versions": [
"2.1.7",
"2.1.6"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "43d161453fb6b26288b7d4e1210f244ae222b119717da085f39e44b57f98c54cb7efc9",
"sha256": "c2b2a605465ff83573f2ddcbdf29e3f63b6d3bce638508f77ad1b0ff76ac4c63"
},
{
"path": "package.json",
"tlsh": "3d217b62ca654c532fd815a69c5f1042b3618857ce94fd4c73a7920c9f6d12f12ff65c",
"sha256": "2317fd570270a7c1b00221a6b0c439857bfe292f95c23a1744806b5dfba0ed4b"
}
],
"package_integrity": [
{
"filename": "react-check-error-2.1.7.tgz",
"hashes": {
"sha1": "35561d6f2799b91c0dc462a7e13b6c1bf1e31e98",
"sha512_sri": "sha512-xW1mCJWBN6+JimuQyeJ2nXy927e2A3S/Zd2idvLM1W2HMyQf0vuEhQhATh9fErXwJ8Nk7zmjMv089T5Qz/FgSg=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-check-error/MAL-2026-6341.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]