check-error-util @2.1.8

Summary

On require/import, index.js executes a top-level resolveConfig() that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it, fetches the URL over HTTPS, and runs the JSON cookie field of the response as JavaScript via new Function('require', cookie)(require) . This grants an attacker arbitrary Node code execution with full require access on any machine that loads the package. The URL is hidden behind a layered XOR + AES blob (getHashAddress → Buffer.from(...,'hex') → createDecipheriv('aes-256-cbc', key, iv)) with cover-story comments ('S-box substitution', 'address pipeline', 'service layer hydration') intended to evade static review — there is no legitimate reason for an error-comparison utility to ship encrypted remote URLs. The package also impersonates the legitimate chaijs check-error library: package.json copies the upstream author Jake Luer <jake@alogicalparadox.com>, the chaijs contributor list, and a repository URL pointing at chaijs/check-error, while the published name is check-error-util and the upstream loader code is absent from the real package.

Source: amazon-inspector (7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e)