{"id":"MAL-2026-6470","summary":"Malicious code in chlklib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4)\nPackage name `chlklib` is a one-character deletion of the popular `chalk` package and replicates chalk's public API surface (Chalk, chalkStderr, supportsColor, colorNames). On require/import, the main entry invokes `getOriginal()` at module top level, which POSTs to https://funnystore.org/lib/index.php, XOR-decodes the response body with a hardcoded key, and passes the result to `eval()` (see dist/vendor/original-color/index.cjs around line 55, invoked from dist/index.cjs). Any developer who installs and requires this package — most likely after mistyping `chalk` — immediately executes attacker-controlled JavaScript fetched at runtime from funnystore.org. The remote endpoint is mutable and unrelated to the package's stated 'terminal prompt' purpose, giving the operator full RCE on the installer's machine on every require. The XOR-then-eval obfuscation and typosquat-with-replicated-API shape together match a deliberate dropper campaign rather than any legitimate use case.\n","modified":"2026-06-25T19:31:22.812549937Z","published":"2026-06-25T18:27:36Z","database_specific":{"malicious-packages-origins":[{"sha256":"136a65e3a9bd3712d0e949a0a9b56747918d7d1436cbad01e204ab23ff5e990f","versions":["1.2.3"],"import_time":"2026-06-25T19:13:49.230688071Z","modified_time":"2026-06-25T18:27:36Z","source":"amazon-inspector","id":"IN-MAL-2026-007526"},{"sha256":"766413ce8bb9e5a330bf1a6f878e75a03528339df61dac409a66a06218e082d4","modified_time":"2026-06-25T18:27:37Z","import_time":"2026-06-25T19:13:49.311925244Z","versions":["1.2.2"],"id":"IN-MAL-2026-007527","source":"amazon-inspector"},{"sha256":"b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4","modified_time":"2026-06-25T18:27:41Z","import_time":"2026-06-25T19:13:49.484821524Z","versions":["1.2.0"],"id":"IN-MAL-2026-007529","source":"amazon-inspector"},{"sha256":"fe013bde99ee7eafc14dc4db6ac67e239dd3ee3be046c2444c69b07181b236a3","modified_time":"2026-06-25T18:27:38Z","import_time":"2026-06-25T19:13:49.3560492Z","versions":["1.2.1"],"id":"IN-MAL-2026-007528","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chlklib/v/1.2.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chlklib/v/1.2.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chlklib/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chlklib/v/1.2.1"}],"affected":[{"package":{"name":"chlklib","ecosystem":"npm","purl":"pkg:npm/chlklib"},"versions":["1.2.3","1.2.2","1.2.0","1.2.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"chlklib-1.2.3.tgz","hashes":{"sha1":"d6a4a13aa087d2a0328b196fe0487a8a7aaf2e26","sha512_sri":"sha512-cPRZlR3K2900J28CU0nKgvvVtn5mgWHdVKiQm51kQ0tWH6vrcKh0P4yRDbF2NadaRh7myQl28LgWAtLM2An0nQ=="}}],"evidence_files":[{"sha256":"9faf80b37a3d9554bbe8b3ff443a6a114ce7c29ead29deaef766f2701cc52243","path":"dist/vendor/original-color/index.cjs","tlsh":"6251c647a6f4615a11f244fa632faa0177bea2e81108d958f6acc2f50fc642144d4aef"},{"sha256":"f393aaa919fad51bf578515115f26444534b2957186fc22bc9a24fb8e47465a3","path":"package.json","tlsh":"8031b318c8b06ed77aca26b4aa5e8b56667140070a546f0433cd412c0fcc2df8aff1ce"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chlklib/MAL-2026-6470.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}