{"id":"MAL-2026-4517","summary":"Malicious code in chalk-tempalte (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7)\nPackage name `chalk-tempalte` is a single-character transposition of the popular `chalk-template` package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a `postinstall.js` lifecycle script that imports `child_process`, performs HTTP GET/POST traffic via `http.request(...)`, and collects host identifiers (`hostname:` fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, `phantom.js`, contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on `npm install`, transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.\n","modified":"2026-05-26T06:02:13.426364308Z","published":"2026-05-20T02:07:31Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003421","import_time":"2026-05-26T05:50:36.703635173Z","versions":["1.0.15"],"source":"amazon-inspector","sha256":"0dbbedbc9885ab0402df3ea58ad1e3efbe33154089e167af2a7493174fa8168a","modified_time":"2026-05-20T02:32:48Z"},{"sha256":"1b46901047e08017bf0dd3a8edddd3b5b41b2bfc568487dd4420e37b07fb2b58","import_time":"2026-05-26T05:50:35.388926785Z","modified_time":"2026-05-20T02:21:45Z","id":"IN-MAL-2026-003409","source":"amazon-inspector","versions":["1.0.16"]},{"id":"IN-MAL-2026-003411","import_time":"2026-05-26T05:50:35.678873968Z","versions":["1.0.14"],"source":"amazon-inspector","sha256":"1b69dc559752cb056e834f5687f268e935b373bbe24c3499738601be672f87f9","modified_time":"2026-05-20T02:22:40Z"},{"id":"IN-MAL-2026-003414","import_time":"2026-05-26T05:50:35.985579113Z","source":"amazon-inspector","sha256":"b61844f5e8edacf86401cbc715ec84fae400cc29417b3c10993d3e1314ce13ff","modified_time":"2026-05-20T02:27:06Z","versions":["1.0.17"]},{"sha256":"d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7","import_time":"2026-05-26T05:50:33.402887211Z","id":"IN-MAL-2026-003393","versions":["1.0.19"],"source":"amazon-inspector","modified_time":"2026-05-20T02:07:31Z"},{"id":"IN-MAL-2026-003408","import_time":"2026-05-26T05:50:35.279050957Z","versions":["1.0.16"],"source":"amazon-inspector","sha256":"ec649aaa3ddfd4426b0b4076c10d98e3caac8efdee798007423b49a89cff2d15","modified_time":"2026-05-20T02:21:44Z"},{"sha256":"788cdc2d5da13ef256deec3bef835fef1f62c28ae9ae77606677951f615dba12","import_time":"2026-05-26T05:50:55.34748867Z","id":"IN-MAL-2026-003592","versions":["1.0.20"],"source":"amazon-inspector","modified_time":"2026-05-20T18:45:16Z"},{"sha256":"a50750faf25ea435dbed1d83e0bb3ae9bcad627770fcbe1213fcde2c5e168d86","import_time":"2026-05-26T05:50:36.602438299Z","id":"IN-MAL-2026-003420","versions":["1.0.15"],"source":"amazon-inspector","modified_time":"2026-05-20T02:32:48Z"},{"sha256":"c0ffe3887c093cd245be6407cffd38d98851d4c4aaae87dad81a0cbf9376e8a4","import_time":"2026-05-26T05:50:35.552335864Z","id":"IN-MAL-2026-003410","versions":["1.0.14"],"source":"amazon-inspector","modified_time":"2026-05-20T02:22:40Z"},{"sha256":"de2bc8855ed757642753f9c434aaf3a48b1a8806176970046b851433c66ba154","import_time":"2026-05-26T05:50:36.085632616Z","id":"IN-MAL-2026-003415","versions":["1.0.17"],"source":"amazon-inspector","modified_time":"2026-05-20T02:27:06Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.17"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.19"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.20"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.15"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-tempalte/v/1.0.14"}],"affected":[{"package":{"name":"chalk-tempalte","ecosystem":"npm","purl":"pkg:npm/chalk-tempalte"},"versions":["1.0.15","1.0.16","1.0.14","1.0.17","1.0.19","1.0.20"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-tempalte/MAL-2026-4517.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"chalk-tempalte-1.0.17.tgz","hashes":{"sha512_sri":"sha512-LTXWiDvzVb76+cSz4H38Xgw58ZQrbY0eMVpoh3kBBGrflw5/yxogb066CZNNHgIDG4QInxxqowCHF3pKJH1X0A==","sha1":"de43a8c6ffd8984edfce333242997184360afe1e"}}],"domains":["api.ipify.org","b94b6bcfa27554.lhr.life"],"evidence_files":[{"sha256":"ffba9bdd6793edd5b38e12900252c1813a693f59c25af51c3b658cf3f27b6162","tlsh":"218230a103f615650d63ddadeb4350016922d2433900b95c7fed6fc82f1b52eaaf2bb8","path":"postinstall.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}