MAL-2026-3754
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pack/MAL-2026-3754.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3754
- Published
- 2026-05-14T19:24:45Z
- Modified
- 2026-05-15T07:52:29.587193Z
- Summary
- Malicious code in chalk-pack (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3e6eab5e9e696250cc719b36e144f4534cac2b38a25521cda80222b6c66cd64c)
Package is named
chalk-pack(impersonatingchalk) with keywords andindex.jsimpersonatinglodash;index.jsis a stub that self-describes as 'Just a dummy module. The real payload is in postinstall.js'. Onnpm install,postinstall.jsexecutes a two-part stealer: (1) credential harvester — reads~/.npmrc,~/.env, and~/.git-credentials, extracts npm auth tokens (npm_[a-zA-Z0-9]{36}and//registry.npmjs.org/:_authToken=...), and scrapes environment variables shaped like tokens/API keys/DB URLs/cloud/payment credentials; (2) crypto-wallet stealer — iterates 71 hardcoded Chromium/Brave/Edge/Firefox extension IDs for MetaMask, Phantom, Coinbase, Trust, Binance, OKX, Ledger, Trezor, Rabby, Keplr, Solflare, BitKeep, etc., readsLocal Extension Settings/<extId>/*.log, regex-matchesvault,seed,mnemonic,privateKey, and encrypted wallet JSON, and also walks~/Documents,~/Desktop,~/Downloadsfor BIP39-word-count-matching files. All collected data is POSTed as JSON tohttp://149.28.127.35:8888(plaintext HTTP, bare IP) hardcoded inconst C2=process.env.C2_URL||'http://149.28.127.35:8888'at postinstall.js:7. The file header advertises itself as 'Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace.' and every fs/http call is wrapped intry{}catch(e){}to suppress errors. Multiple independent attack fingerprints co-occur: hardcoded C2 in a lifecycle hook, installer-secret credential-file reads, wallet extension ID list, BIP39 seed-phrase scanner, and typosquat of a top-registry package — each independently sufficient. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002647", "import_time": "2026-05-15T07:37:15.405469171Z", "sha256": "3e6eab5e9e696250cc719b36e144f4534cac2b38a25521cda80222b6c66cd64c", "source": "amazon-inspector", "modified_time": "2026-05-14T19:24:45Z", "versions": [ "1.0.4" ] }, { "id": "IN-MAL-2026-002808", "import_time": "2026-05-15T07:37:20.248421441Z", "sha256": "fb5b1dd23f490f87a1017ccfaf83acc738ad2fcf296016e958d9c2faeb921792", "source": "amazon-inspector", "modified_time": "2026-05-15T03:08:40Z", "versions": [ "2.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / chalk-pack
Package
- Name
- chalk-pack
- View open source insights on deps.dev
- Purl
- pkg:npm/chalk-pack
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
"tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb"
},
{
"path": "package.json",
"sha256": "cc34694aa3eff92886a89cfc5f623e090a5eeab25a631057b52e3f0919162276",
"tlsh": "2bd02b20cb119d3324c417560a1b414969714d1700447c4833cb01ac875a3ba98ff61e"
}
],
"package_integrity": [
{
"filename": "chalk-pack-1.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-5iUIB+WfRkGA+bK+wVAOhB1Z9mhFLu6X+Kbsy0xoAAe/5vm63P7aq6Qh7R3A+OEzD6UmOqImflmEb+oFXUJxcQ==",
"sha1": "d9fe4e835f0626958bb06d65f11cc4b506dc2c0a"
}
}
],
"domains": [
"http://149.28.127.35:8888"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pack/MAL-2026-3754.json"