{"id":"MAL-2026-4534","summary":"Malicious code in color-style-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087)\nOn `npm install`, all three lifecycle hooks (preinstall, install, postinstall) execute postinstall.js, which harvests installer secrets and exfiltrates them to an attacker-controlled localhost.run SSH tunnel at edcf8b03c84634.lhr.life. The script reads ~/.ssh/*, ~/.aws/credentials and config, ~/.config/gcloud, ~/.azure, ~/.npmrc, ~/.kube/config, ~/.docker/config.json, browser profile directories, crypto wallets, VPN configs, shell histories, and dotfiles; dumps process.env; and regex-matches GitHub, AWS, Google, Stripe, Slack, and Discord tokens. It also fingerprints the host via api.ipify.org and ipapi.co (public IP, country, city, ISP, lat/lon, hostname, username, uid/gid, local IPs) and POSTs the full bundle to https://edcf8b03c84634.lhr.life/collect via https.request. The package additionally declares a self-referential dependency on itself (color-style-utils: ^1.0.4) and ships an undeclared ~35 KB sibling file `postinstall2.jsµ` with a non-ASCII suffix that is not referenced by any documented script — both consistent with name-squat/decoy smuggling patterns.\n","modified":"2026-05-26T06:02:24.664729519Z","published":"2026-05-20T02:11:31Z","database_specific":{"malicious-packages-origins":[{"sha256":"16a2ac63ceea80ca65ff07cd7a53193b897401be1eb015dfd90cb0d75295bf8b","versions":["1.0.9"],"id":"IN-MAL-2026-003412","source":"amazon-inspector","modified_time":"2026-05-20T02:26:03Z","import_time":"2026-05-26T05:50:35.782634392Z"},{"sha256":"c22ac2a127cc9b7c67336ce4cf43e53b1970c64a2a964e7dda025a2123bdf5c0","versions":["1.0.8"],"id":"IN-MAL-2026-003436","source":"amazon-inspector","modified_time":"2026-05-20T02:50:22Z","import_time":"2026-05-26T05:50:38.393649282Z"},{"sha256":"da6a7250092f3e9c567f31688ec6135543411ecb5cf6965ef6774ec42eafb1ca","versions":["1.0.3"],"id":"IN-MAL-2026-003590","source":"amazon-inspector","modified_time":"2026-05-20T18:38:55Z","import_time":"2026-05-26T05:50:55.10790025Z"},{"sha256":"87fb8a0ae3bd2b5e590100bb23ec07265819216eba9cb99ba0010dd06797d894","versions":["1.0.7"],"id":"IN-MAL-2026-003399","modified_time":"2026-05-20T02:11:31Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:34.261406818Z"},{"sha256":"968e7ba9eea340cb571531bc44e6cfc6b542312b4c3470adbf7e084e7896a2d3","versions":["1.0.4"],"id":"IN-MAL-2026-003405","modified_time":"2026-05-20T02:20:23Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:34.941292852Z"},{"sha256":"9b4ea1d1a4d8eafd3ea4938b74c3afc1ae8fa3b0af3011913186543c8c56c4ce","versions":["1.0.4"],"id":"IN-MAL-2026-003404","source":"amazon-inspector","modified_time":"2026-05-20T02:20:23Z","import_time":"2026-05-26T05:50:34.839809654Z"},{"sha256":"ad7a9aa944e224bf8f065a8e3a0ed84b419749bcb3d2191ac706be73e8936401","versions":["1.0.5"],"id":"IN-MAL-2026-003439","modified_time":"2026-05-20T02:50:58Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:38.723831216Z"},{"sha256":"e560402c6bd2f75b2c3bdb46fd0dc67f4ff073701ad63b369df2b1499654a2d5","versions":["1.0.3"],"id":"IN-MAL-2026-003591","modified_time":"2026-05-20T18:38:55Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:55.239662757Z"},{"sha256":"47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087","versions":["1.0.5"],"id":"IN-MAL-2026-003438","source":"amazon-inspector","modified_time":"2026-05-20T02:50:57Z","import_time":"2026-05-26T05:50:38.602041175Z"},{"sha256":"8e3f3c4ea23f95da7fe79d16bcb6af3cf96a4b8d6918aa9d0d0381d134bff9a5","versions":["1.0.9"],"id":"IN-MAL-2026-003413","source":"amazon-inspector","modified_time":"2026-05-20T02:26:03Z","import_time":"2026-05-26T05:50:35.887161404Z"},{"sha256":"a0575ae60cd804b6bb973b55e00ff81f457cea92b576a13cc7c803d6b21a6e7a","versions":["1.0.8"],"id":"IN-MAL-2026-003437","modified_time":"2026-05-20T02:50:23Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:38.499570391Z"},{"sha256":"bb9faca24e535571d455ec23147dea8cae065e21162d69688e69ec81dd4924ce","versions":["1.0.7"],"id":"IN-MAL-2026-003398","modified_time":"2026-05-20T02:11:31Z","source":"amazon-inspector","import_time":"2026-05-26T05:50:34.137869512Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/color-style-utils/v/1.0.7"}],"affected":[{"package":{"name":"color-style-utils","ecosystem":"npm","purl":"pkg:npm/color-style-utils"},"versions":["1.0.9","1.0.8","1.0.3","1.0.7","1.0.4","1.0.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"color-style-utils-1.0.9.tgz","hashes":{"sha512_sri":"sha512-SFIizF+FxcgPXs8k+wmhYwsvsHvJdIwah2nyY1/Eg33eNTWoTFYTSony6knm5lZAdWaDHQ0n0Uk3Vy1WBbvexw==","sha1":"4bd6d022f8a54221b275249eda04850895ce84e8"}}],"evidence_files":[{"sha256":"7a4e9467f792f9c44eefea39f820ee36802c33458705aa96114676188296258a","tlsh":"4c8230a103f615650d63dda9eb4350016922d2533900b95c7fed6fc82f1b52eaaf2bb8","path":"postinstall.js"},{"sha256":"159129f87df460f5f655a87169220966b0fd4db53339bd2cdd1ae06752ef2c80","tlsh":"11f284cb12f6252089a3aa796b0790016537e1537146ed9c7fdc5b881f12f289af1bfc","path":"postinstall2.js"}],"domains":["api.ipify.org","ipapi.co","edd0df80546ec3.lhr.life"]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-style-utils/MAL-2026-4534.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}