{"id":"MAL-2026-5710","summary":"Malicious code in chalk-plus-ts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c)\npackage.json declares postinstall=`node lib/utils/index.js`, which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR (a mutable, anonymous JSON paste host) and passes the response's `cookie` field directly into `new Function('require', data.cookie)(require)`, executing attacker-controlled JavaScript with full Node privileges on every installer machine. The detached child with ignored stdio is designed to suppress visibility of the activity. The package additionally ships lib/utils/smtp-connection/parse.js, which exposes an AES-256-CBC decryption helper with a hardcoded key and IV — consistent with a staged loader for decoding subsequent payloads delivered through the same channel. Identity is laundered: the package name `chalk-plus-ts` impersonates the popular `chalk` package, the main entry is a verbatim copy of nodemailer.js, the author field is set to nodemailer's real maintainer (Andris Reinman), and the description field is unrelated React Training boilerplate — all to lure installs from multiple ecosystems.\n","modified":"2026-06-12T21:01:43.563856256Z","published":"2026-06-12T20:34:58Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-12T20:49:37.79351896Z","sha256":"08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c","id":"IN-MAL-2026-006228","modified_time":"2026-06-12T20:34:58Z","versions":["1.0.3"]},{"source":"amazon-inspector","import_time":"2026-06-12T20:49:37.922873011Z","id":"IN-MAL-2026-006229","sha256":"4e21033bf30adc04a20f48e89e1cb8ec1544a3d56c12a23b19f11be9ac17666e","modified_time":"2026-06-12T20:34:59Z","versions":["1.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-plus-ts/v/1.0.3"}],"affected":[{"package":{"name":"chalk-plus-ts","ecosystem":"npm","purl":"pkg:npm/chalk-plus-ts"},"versions":["1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-ts/MAL-2026-5710.json","indicators":{"package_integrity":[{"hashes":{"sha1":"e5597cc2c4ca0ae1b07696fed4508ac419b4f2c4","sha512_sri":"sha512-OnfSBqmrsMRPnVnRRgusimvi38do+hy8qjYZPSdrM2trfWZD2Boa7cspAtQfjDe2nrsQgo6KIRVT/1JbJf6xMA=="},"filename":"chalk-plus-ts-1.0.3.tgz"}],"domains":["www.jsonkeeper.com","github.com","release-assets.githubusercontent.com"],"evidence_files":[{"sha256":"e72ab44afd0114c64138b8ada7f91c7d12fd09be68ca28973465bed185552323","tlsh":"05f0c06a19f35238521b22c94b5b040a3007d007379aed89f7cc87e02fc39909d42fb8","path":"lib/utils/smtp-connection/index.js"},{"sha256":"4d3da7ac75c39bc24c8e92476867ad33d9e619245caa3756cad97b408e2588d3","tlsh":"9f41a614cd2a8ce3229425eea46c1183a520d00f8d06b85d734c038c8fce99f36baf2e","path":"package.json"},{"sha256":"4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1","tlsh":"7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd","path":"lib/utils/smtp-connection/parse.js"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}