MAL-2026-5526

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fd1d58d0dff4bf33802ce6bf775a5de16f3b9c726a3bcc9b7a271ac5d25c01f3) Package name and metadata impersonate the legitimate chaijs `check-error` utility (same author string, same repo URL, same description). index.js adds a `resolveConfig()` function called at module top-level that fetches a base64-obfuscated URL — `https://jsonkeeper.com/b/JOCBY` (encoded as `anNvbmtlZXBlci5jb20vYi9KT0NCWQ==` and decoded with `Buffer.from(..., 'base64').toString()`) — parses the JSON response, and passes the `.cookie` field into `new Function('require',...)(require)`, evaluating attacker-controlled JavaScript with `require` injected. The same index.js is wired both as `postinstall` (`node index.js`) and as the package `main`, so the remote-code-execution path fires automatically on `npm install` and again on every `require('chai-check-error')`. jsonkeeper.com is a public, mutable, anonymous paste host — the author can swap the executed payload at any time without republishing. The combination of typosquat impersonation, base64-hidden C2, mutable remote payload, and eval-with-require gives the attacker arbitrary code execution on any installer or consumer machine.