{"id":"MAL-2026-5709","summary":"Malicious code in chalk-plus-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1)\nPackage is published under a name riding the popular chalk color-output library but its source tree, README, main entry (lib/nodemailer.js), and lib paths (smtp-connection, mailer, ses-transport, smtp-pool, dkim, mime-funcs) are a verbatim clone of nodemailer. The package.json description is an unrelated React Training copyright string and the homepage points at a lookalike domain (chalk-plus-js.com). On install, the postinstall hook `node lib/utils/index.js` spawns lib/utils/smtp-connection/index.js as a detached child with stdio fully silenced (`spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }); child.unref()`), so the dropper survives `npm install` exit with no console output. The target file is heavily obfuscated using a custom-alphabet string array and per-block decoders inside try/catch wrappers; decoded values are fed to `require(...)`, `spawn(...)`, and the argument pattern `['-e', \u003cdecoded\u003e]` with `shell: true` — i.e. it executes attacker-controlled code through a shell at install time. The payload requires axios, fs, path, child_process, and the package's runtime dependency footprint (axios, socket.io-client, sqlite3, request) is consistent with HTTP/websocket C2 plus local persistence — none of which a nodemailer clone needs. Any developer who mistypes or trusts the name chalk-plus-js executes attacker code with their own privileges on `npm install`.\n","modified":"2026-06-12T21:01:43.422114461Z","published":"2026-06-12T20:38:05Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006234","sha256":"f4dd85fdba129ac0e507f8ba04076974f722c3494d8abd938c89c6063e1364fc","versions":["7.0.4"],"modified_time":"2026-06-12T20:38:06Z","source":"amazon-inspector","import_time":"2026-06-12T20:49:38.373105072Z"},{"id":"IN-MAL-2026-006233","sha256":"f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1","versions":["7.0.4"],"modified_time":"2026-06-12T20:38:05Z","source":"amazon-inspector","import_time":"2026-06-12T20:49:38.270139857Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-plus-js/v/7.0.4"}],"affected":[{"package":{"name":"chalk-plus-js","ecosystem":"npm","purl":"pkg:npm/chalk-plus-js"},"versions":["7.0.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-js/MAL-2026-5709.json","indicators":{"evidence_files":[{"path":"lib/utils/index.js","sha256":"9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e","tlsh":"dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da"},{"path":"lib/utils/smtp-connection/index.js","sha256":"bd09a61b5a7ea75f15ca436de5235ff6e5cdb10eeb2ef02b9b9d6d03f7817f18","tlsh":"a1332a41d0d2ffedd9ac60da1666a60c4d208d6ad7c8328d2647e03f9e7098653fdbc8"},{"path":"package.json","sha256":"9a31639305d240164e958ed719bb7827ff91420c69e9ed1e4e7de8a5e1c03e7b","tlsh":"5041cc15cd6a8ce3229525edb47c12836560d00f8d06b85d734c138c4f8e99f36b9f5d"}],"domains":["github.com","release-assets.githubusercontent.com"],"package_integrity":[{"filename":"chalk-plus-js-7.0.4.tgz","hashes":{"sha1":"042daaba915c2b5c4a7fe3e12a2e23ffd5690e6e","sha512_sri":"sha512-0KW66VFZzWfvoq1BqLsviZyEogV8t3Th45OhOOqBt4cbHV0yxqFBMTMgpFZfR44hJE4XnUHk/zTSK5o24DwfYw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}