On require/import, index.js executes a top-level resolveConfig() that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it, fetches the URL over HTTPS, and runs the JSON cookie field of the response as JavaScript via new Function('require', cookie)(require). This grants an attacker arbitrary Node code execution with full require access on any machine that loads the package. The URL is hidden behind a layered XOR + AES blob (getHashAddress → Buffer.from(...,'hex') → createDecipheriv('aes-256-cbc', key, iv)) with cover-story comments ('S-box substitution', 'address pipeline', 'service layer hydration') intended to evade static review — there is no legitimate reason for an error-comparison utility to ship encrypted remote URLs. The package also impersonates the legitimate chaijs check-error library: package.json copies the upstream author Jake Luer jake@alogicalparadox.com, the chaijs contributor list, and a repository URL pointing at chaijs/check-error, while the published name is check-error-util and the upstream loader code is absent from the real package.