{"id":"MAL-2026-3755","summary":"Malicious code in chalk-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d0fe2974289b691a9f5541068f2e399aecb14a719779202ff5999652ffe351db)\nOn `npm install`, postinstall.js runs a credential and cryptocurrency stealer against the installer's machine. It reads ~/.npmrc (extracting _authToken and npm_* tokens), ~/.git-credentials, and ~/.env (extracting values keyed by token/secret/password/api/aws/gcp/stripe patterns), then iterates a hardcoded list of 71 browser extension IDs for major crypto wallets (MetaMask, Phantom, Coinbase Wallet, Exodus, Trust, Binance, OKX, Ledger Live, Trezor, and others) across Chrome/Brave/Edge/Chromium/Vivaldi/Opera profiles, reading each extension's Local Extension Settings LevelDB `.log` files and applying regexes for `vault`, `seed`, `privateKey`, `mnemonic`, `password`, and `encrypted`. It additionally walks ~/Documents, ~/Desktop, and ~/Downloads for filenames matching crypto keywords (seed, backup, wallet, phrase, metamask, phantom, vault, key, private), scores file contents against a BIP-39 word list, and harvests any file with \u003e=8 BIP-39 matches along with a 100-character content preview. Harvested data (plus os.hostname() and os.userInfo().username) is POSTed in cleartext to http://149.28.127.35:8888, a bare-IP C2 endpoint overridable via a `C2_URL` environment variable to support endpoint rotation. The package name `chalk-utils` masquerades as belonging to the `chalk` ecosystem while index.js is a dummy stub whose comment reads `lodash-js — Just a dummy module. The real payload is in postinstall.js`, and postinstall.js self-describes as `Token harvester + Crypto wallet scanner. Runs on npm install. Silent. Zero trace.`\n","modified":"2026-05-15T07:51:52.920361Z","published":"2026-05-14T19:24:57Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-05-15T07:37:15.664565703Z","id":"IN-MAL-2026-002670","sha256":"91db66ecd03074751b8ba9161392a616bb388110f87bde3bba527b072060d047","versions":["1.0.4"],"modified_time":"2026-05-14T19:24:58Z"},{"source":"amazon-inspector","import_time":"2026-05-15T07:37:15.693339695Z","id":"IN-MAL-2026-002671","sha256":"abf624d09ac235b4070c91a31cdc049ee53620da917208668be8003956368687","versions":["2.0.0"],"modified_time":"2026-05-14T19:24:58Z"},{"source":"amazon-inspector","import_time":"2026-05-15T07:37:15.628977132Z","id":"IN-MAL-2026-002669","sha256":"d0fe2974289b691a9f5541068f2e399aecb14a719779202ff5999652ffe351db","versions":["1.0.3"],"modified_time":"2026-05-14T19:24:57Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-utils/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-utils/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-utils/v/1.0.3"}],"affected":[{"package":{"name":"chalk-utils","ecosystem":"npm","purl":"pkg:npm/chalk-utils"},"versions":["1.0.4","2.0.0","1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-utils/MAL-2026-3755.json","indicators":{"evidence_files":[{"sha256":"6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9","path":"postinstall.js","tlsh":"0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb"},{"sha256":"cf18b5e5515b45acb020b8e99d6407ee69256f682a2bf7c7cb3ba51514bb7d00","path":"package.json","tlsh":"dcd02b308a128e3320c417531b1b414569b14d5701047c5c33cb015c47aa3b698ff60e"}],"package_integrity":[{"hashes":{"sha1":"9afc6d4dbaa55bd4c89830bb42221d0c6ded9d5f","sha512_sri":"sha512-n7DleCpMvzvH8B5KIqK6gXN0Rdf+Gt5jZFmokPNtfpGYnZwWctnM2uqYKyqxg0OSs485+eyJzlJXq39Ep87TDw=="},"filename":"chalk-utils-1.0.4.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}