react-check-error @2.1.7

Summary

On require(), index.js invokes _initMsgCache() at module top level. The function derives an AES-256-CBC key, IV, and ciphertext from a hardcoded 161-byte array (index.js:62) processed through an LCG-derived sbox, decrypts a URL, performs an https.get to that URL, parses the JSON response, and executes the response's cookie field via new Function('require', mod)(require) (index.js:155). This is a fully attacker-controlled remote code execution payload that runs on every consumer's machine the moment the package is imported, with full require access in the Node process. The package additionally impersonates the legitimate chai utility check-error — it copies chai's author metadata, description, the chaijs/check-error repository URL, and the original API surface (compatibleInstance, compatibleConstructor, compatibleMessage, getMessage, getConstructorName), with the dropper grafted onto the genuine sources. Unused runtime dependencies (axios, form-data, socket.io-client) are declared as further cover. The URL obfuscation (byte array + sbox XOR + per-index subtraction + bit rotation + AES-256-CBC) exists solely to hide the C2 endpoint from scanners — legitimate packages do not encrypt their network destinations.

Source: amazon-inspector (d89ef9716015743217a9492f4b4469459da701a1b6198851f1527033f1e5c9ae)