-= Per source details. Do not edit below this line.=-
Package name chalk-tempalte is a single-character transposition of the popular chalk-template package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a postinstall.js lifecycle script that imports child_process, performs HTTP GET/POST traffic via http.request(...), and collects host identifiers (hostname: fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, phantom.js, contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on npm install, transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.15"
],
"sha256": "0dbbedbc9885ab0402df3ea58ad1e3efbe33154089e167af2a7493174fa8168a",
"modified_time": "2026-05-20T02:32:48Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003421",
"import_time": "2026-05-26T05:50:36.703635173Z"
},
{
"versions": [
"1.0.16"
],
"sha256": "1b46901047e08017bf0dd3a8edddd3b5b41b2bfc568487dd4420e37b07fb2b58",
"source": "amazon-inspector",
"modified_time": "2026-05-20T02:21:45Z",
"id": "IN-MAL-2026-003409",
"import_time": "2026-05-26T05:50:35.388926785Z"
},
{
"versions": [
"1.0.14"
],
"sha256": "1b69dc559752cb056e834f5687f268e935b373bbe24c3499738601be672f87f9",
"modified_time": "2026-05-20T02:22:40Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003411",
"import_time": "2026-05-26T05:50:35.678873968Z"
},
{
"versions": [
"1.0.17"
],
"sha256": "b61844f5e8edacf86401cbc715ec84fae400cc29417b3c10993d3e1314ce13ff",
"modified_time": "2026-05-20T02:27:06Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003414",
"import_time": "2026-05-26T05:50:35.985579113Z"
},
{
"versions": [
"1.0.19"
],
"sha256": "d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7",
"modified_time": "2026-05-20T02:07:31Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:33.402887211Z",
"id": "IN-MAL-2026-003393"
},
{
"versions": [
"1.0.16"
],
"sha256": "ec649aaa3ddfd4426b0b4076c10d98e3caac8efdee798007423b49a89cff2d15",
"modified_time": "2026-05-20T02:21:44Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003408",
"import_time": "2026-05-26T05:50:35.279050957Z"
},
{
"versions": [
"1.0.20"
],
"sha256": "788cdc2d5da13ef256deec3bef835fef1f62c28ae9ae77606677951f615dba12",
"modified_time": "2026-05-20T18:45:16Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:55.34748867Z",
"id": "IN-MAL-2026-003592"
},
{
"versions": [
"1.0.15"
],
"sha256": "a50750faf25ea435dbed1d83e0bb3ae9bcad627770fcbe1213fcde2c5e168d86",
"modified_time": "2026-05-20T02:32:48Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-003420",
"import_time": "2026-05-26T05:50:36.602438299Z"
},
{
"versions": [
"1.0.14"
],
"sha256": "c0ffe3887c093cd245be6407cffd38d98851d4c4aaae87dad81a0cbf9376e8a4",
"modified_time": "2026-05-20T02:22:40Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:35.552335864Z",
"id": "IN-MAL-2026-003410"
},
{
"versions": [
"1.0.17"
],
"sha256": "de2bc8855ed757642753f9c434aaf3a48b1a8806176970046b851433c66ba154",
"modified_time": "2026-05-20T02:27:06Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:36.085632616Z",
"id": "IN-MAL-2026-003415"
}
]
}{
"package_integrity": [
{
"filename": "chalk-tempalte-1.0.17.tgz",
"hashes": {
"sha512_sri": "sha512-LTXWiDvzVb76+cSz4H38Xgw58ZQrbY0eMVpoh3kBBGrflw5/yxogb066CZNNHgIDG4QInxxqowCHF3pKJH1X0A==",
"sha1": "de43a8c6ffd8984edfce333242997184360afe1e"
}
}
],
"evidence_files": [
{
"sha256": "ffba9bdd6793edd5b38e12900252c1813a693f59c25af51c3b658cf3f27b6162",
"path": "postinstall.js",
"tlsh": "218230a103f615650d63ddadeb4350016922d2433900b95c7fed6fc82f1b52eaaf2bb8"
}
],
"domains": [
"api.ipify.org",
"b94b6bcfa27554.lhr.life"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-tempalte/MAL-2026-4517.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]