MAL-2026-6341

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d89ef9716015743217a9492f4b4469459da701a1b6198851f1527033f1e5c9ae) On require(), index.js invokes _initMsgCache() at module top level. The function derives an AES-256-CBC key, IV, and ciphertext from a hardcoded 161-byte array (index.js:62) processed through an LCG-derived sbox, decrypts a URL, performs an https.get to that URL, parses the JSON response, and executes the response's `cookie` field via `new Function('require', mod)(require)` (index.js:155). This is a fully attacker-controlled remote code execution payload that runs on every consumer's machine the moment the package is imported, with full `require` access in the Node process. The package additionally impersonates the legitimate chai utility `check-error` — it copies chai's author metadata, description, the chaijs/check-error repository URL, and the original API surface (compatibleInstance, compatibleConstructor, compatibleMessage, getMessage, getConstructorName), with the dropper grafted onto the genuine sources. Unused runtime dependencies (axios, form-data, socket.io-client) are declared as further cover. The URL obfuscation (byte array + sbox XOR + per-index subtraction + bit rotation + AES-256-CBC) exists solely to hide the C2 endpoint from scanners — legitimate packages do not encrypt their network destinations.