{"id":"MAL-2026-3754","summary":"Malicious code in chalk-pack (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3e6eab5e9e696250cc719b36e144f4534cac2b38a25521cda80222b6c66cd64c)\nPackage is named `chalk-pack` (impersonating `chalk`) with keywords and `index.js` impersonating `lodash`; `index.js` is a stub that self-describes as 'Just a dummy module. The real payload is in postinstall.js'. On `npm install`, `postinstall.js` executes a two-part stealer: (1) credential harvester — reads `~/.npmrc`, `~/.env`, and `~/.git-credentials`, extracts npm auth tokens (`npm_[a-zA-Z0-9]{36}` and `//registry.npmjs.org/:_authToken=...`), and scrapes environment variables shaped like tokens/API keys/DB URLs/cloud/payment credentials; (2) crypto-wallet stealer — iterates 71 hardcoded Chromium/Brave/Edge/Firefox extension IDs for MetaMask, Phantom, Coinbase, Trust, Binance, OKX, Ledger, Trezor, Rabby, Keplr, Solflare, BitKeep, etc., reads `Local Extension Settings/\u003cextId\u003e/*.log`, regex-matches `vault`, `seed`, `mnemonic`, `privateKey`, and encrypted wallet JSON, and also walks `~/Documents`, `~/Desktop`, `~/Downloads` for BIP39-word-count-matching files. All collected data is POSTed as JSON to `http://149.28.127.35:8888` (plaintext HTTP, bare IP) hardcoded in `const C2=process.env.C2_URL||'http://149.28.127.35:8888'` at postinstall.js:7. The file header advertises itself as 'Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace.' and every fs/http call is wrapped in `try{}catch(e){}` to suppress errors. Multiple independent attack fingerprints co-occur: hardcoded C2 in a lifecycle hook, installer-secret credential-file reads, wallet extension ID list, BIP39 seed-phrase scanner, and typosquat of a top-registry package — each independently sufficient.\n","modified":"2026-05-15T07:52:29.587193Z","published":"2026-05-14T19:24:45Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-14T19:24:45Z","id":"IN-MAL-2026-002647","versions":["1.0.4"],"source":"amazon-inspector","import_time":"2026-05-15T07:37:15.405469171Z","sha256":"3e6eab5e9e696250cc719b36e144f4534cac2b38a25521cda80222b6c66cd64c"},{"modified_time":"2026-05-15T03:08:40Z","id":"IN-MAL-2026-002808","versions":["2.0.0"],"source":"amazon-inspector","import_time":"2026-05-15T07:37:20.248421441Z","sha256":"fb5b1dd23f490f87a1017ccfaf83acc738ad2fcf296016e958d9c2faeb921792"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-pack/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-pack/v/2.0.0"}],"affected":[{"package":{"name":"chalk-pack","ecosystem":"npm","purl":"pkg:npm/chalk-pack"},"versions":["1.0.4","2.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pack/MAL-2026-3754.json","indicators":{"package_integrity":[{"filename":"chalk-pack-1.0.4.tgz","hashes":{"sha512_sri":"sha512-5iUIB+WfRkGA+bK+wVAOhB1Z9mhFLu6X+Kbsy0xoAAe/5vm63P7aq6Qh7R3A+OEzD6UmOqImflmEb+oFXUJxcQ==","sha1":"d9fe4e835f0626958bb06d65f11cc4b506dc2c0a"}}],"evidence_files":[{"sha256":"6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9","path":"postinstall.js","tlsh":"0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb"},{"sha256":"cc34694aa3eff92886a89cfc5f623e090a5eeab25a631057b52e3f0919162276","path":"package.json","tlsh":"2bd02b20cb119d3324c417560a1b414969714d1700447c4833cb01ac875a3ba98ff61e"}],"domains":["http://149.28.127.35:8888"]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}