MAL-2026-3755

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-utils/MAL-2026-3755.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3755

Published

2026-05-14T19:24:57Z

Modified

2026-05-15T07:51:52.920361Z

Summary

Malicious code in chalk-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d0fe2974289b691a9f5541068f2e399aecb14a719779202ff5999652ffe351db)

On npm install, postinstall.js runs a credential and cryptocurrency stealer against the installer's machine. It reads ~/.npmrc (extracting authToken and npm* tokens), ~/.git-credentials, and ~/.env (extracting values keyed by token/secret/password/api/aws/gcp/stripe patterns), then iterates a hardcoded list of 71 browser extension IDs for major crypto wallets (MetaMask, Phantom, Coinbase Wallet, Exodus, Trust, Binance, OKX, Ledger Live, Trezor, and others) across Chrome/Brave/Edge/Chromium/Vivaldi/Opera profiles, reading each extension's Local Extension Settings LevelDB .log files and applying regexes for vault, seed, privateKey, mnemonic, password, and encrypted. It additionally walks ~/Documents, ~/Desktop, and ~/Downloads for filenames matching crypto keywords (seed, backup, wallet, phrase, metamask, phantom, vault, key, private), scores file contents against a BIP-39 word list, and harvests any file with >=8 BIP-39 matches along with a 100-character content preview. Harvested data (plus os.hostname() and os.userInfo().username) is POSTed in cleartext to http://149.28.127.35:8888, a bare-IP C2 endpoint overridable via a C2_URL environment variable to support endpoint rotation. The package name chalk-utils masquerades as belonging to the chalk ecosystem while index.js is a dummy stub whose comment reads lodash-js — Just a dummy module. The real payload is in postinstall.js, and postinstall.js self-describes as Token harvester + Crypto wallet scanner. Runs on npm install. Silent. Zero trace.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:24:58Z",
            "versions": [
                "1.0.4"
            ],
            "sha256": "91db66ecd03074751b8ba9161392a616bb388110f87bde3bba527b072060d047",
            "id": "IN-MAL-2026-002670",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.664565703Z"
        },
        {
            "modified_time": "2026-05-14T19:24:58Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "abf624d09ac235b4070c91a31cdc049ee53620da917208668be8003956368687",
            "id": "IN-MAL-2026-002671",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.693339695Z"
        },
        {
            "modified_time": "2026-05-14T19:24:57Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "d0fe2974289b691a9f5541068f2e399aecb14a719779202ff5999652ffe351db",
            "id": "IN-MAL-2026-002669",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:15.628977132Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chalk-utils

Package

Name: chalk-utils; View open source insights on deps.dev
Purl: pkg:npm/chalk-utils

Affected ranges

Affected versions

1.*

1.0.3

1.0.4

2.*

2.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6ac41974ce61de899439008088ad972e7ab2ac161b3abf61fcd6796f28a941d9",
            "tlsh": "0452e994aaa9021c596382bbd75775b40499e90b35c1e8b4f78f03489f0974d2ef33bb",
            "path": "postinstall.js"
        },
        {
            "sha256": "cf18b5e5515b45acb020b8e99d6407ee69256f682a2bf7c7cb3ba51514bb7d00",
            "tlsh": "dcd02b308a128e3320c417531b1b414569b14d5701047c5c33cb015c47aa3b698ff60e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-n7DleCpMvzvH8B5KIqK6gXN0Rdf+Gt5jZFmokPNtfpGYnZwWctnM2uqYKyqxg0OSs485+eyJzlJXq39Ep87TDw==",
                "sha1": "9afc6d4dbaa55bd4c89830bb42221d0c6ded9d5f"
            },
            "filename": "chalk-utils-1.0.4.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-utils/MAL-2026-3755.json"