MAL-2026-5527

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4354c90de765b6812756121ed6ceb8784ca5a2d6e40f6aa97391e5014c35a038) Package name and shipped README impersonate the chaijs `check-error` helper (identical API docs, author attribution, and a spoofed `git+ssh://git@github.com/chaijs/check-error.git` repository URL), but `index.js` adds a hidden dropper that runs at module load. A top-level call to `resolveConfig()` XOR-decodes a 160-byte numeric array (key 87) inside a function cover-named `getHashAddress()` to produce a hex blob, then uses that blob as an AES-256-CBC key||iv||ciphertext to decrypt an HTTPS URL. The package then calls `require('https').get(service,...)`, JSON-parses the response, and executes the response's `cookie` field via `new Function('require', payload)(require)` — handing the live `require` to attacker-supplied JavaScript with full Node privileges. Any `require('check-error-util')` or `import` triggers remote code execution under the installer's account.