MAL-2026-4517

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-tempalte/MAL-2026-4517.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4517
Published
2026-05-20T02:07:31Z
Modified
2026-05-26T06:02:13.426364308Z
Summary
Malicious code in chalk-tempalte (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7)

Package name chalk-tempalte is a single-character transposition of the popular chalk-template package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a postinstall.js lifecycle script that imports child_process, performs HTTP GET/POST traffic via http.request(...), and collects host identifiers (hostname: fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, phantom.js, contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on npm install, transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.15"
            ],
            "sha256": "0dbbedbc9885ab0402df3ea58ad1e3efbe33154089e167af2a7493174fa8168a",
            "modified_time": "2026-05-20T02:32:48Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003421",
            "import_time": "2026-05-26T05:50:36.703635173Z"
        },
        {
            "versions": [
                "1.0.16"
            ],
            "sha256": "1b46901047e08017bf0dd3a8edddd3b5b41b2bfc568487dd4420e37b07fb2b58",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:21:45Z",
            "id": "IN-MAL-2026-003409",
            "import_time": "2026-05-26T05:50:35.388926785Z"
        },
        {
            "versions": [
                "1.0.14"
            ],
            "sha256": "1b69dc559752cb056e834f5687f268e935b373bbe24c3499738601be672f87f9",
            "modified_time": "2026-05-20T02:22:40Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003411",
            "import_time": "2026-05-26T05:50:35.678873968Z"
        },
        {
            "versions": [
                "1.0.17"
            ],
            "sha256": "b61844f5e8edacf86401cbc715ec84fae400cc29417b3c10993d3e1314ce13ff",
            "modified_time": "2026-05-20T02:27:06Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003414",
            "import_time": "2026-05-26T05:50:35.985579113Z"
        },
        {
            "versions": [
                "1.0.19"
            ],
            "sha256": "d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7",
            "modified_time": "2026-05-20T02:07:31Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:33.402887211Z",
            "id": "IN-MAL-2026-003393"
        },
        {
            "versions": [
                "1.0.16"
            ],
            "sha256": "ec649aaa3ddfd4426b0b4076c10d98e3caac8efdee798007423b49a89cff2d15",
            "modified_time": "2026-05-20T02:21:44Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003408",
            "import_time": "2026-05-26T05:50:35.279050957Z"
        },
        {
            "versions": [
                "1.0.20"
            ],
            "sha256": "788cdc2d5da13ef256deec3bef835fef1f62c28ae9ae77606677951f615dba12",
            "modified_time": "2026-05-20T18:45:16Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:55.34748867Z",
            "id": "IN-MAL-2026-003592"
        },
        {
            "versions": [
                "1.0.15"
            ],
            "sha256": "a50750faf25ea435dbed1d83e0bb3ae9bcad627770fcbe1213fcde2c5e168d86",
            "modified_time": "2026-05-20T02:32:48Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003420",
            "import_time": "2026-05-26T05:50:36.602438299Z"
        },
        {
            "versions": [
                "1.0.14"
            ],
            "sha256": "c0ffe3887c093cd245be6407cffd38d98851d4c4aaae87dad81a0cbf9376e8a4",
            "modified_time": "2026-05-20T02:22:40Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:35.552335864Z",
            "id": "IN-MAL-2026-003410"
        },
        {
            "versions": [
                "1.0.17"
            ],
            "sha256": "de2bc8855ed757642753f9c434aaf3a48b1a8806176970046b851433c66ba154",
            "modified_time": "2026-05-20T02:27:06Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:36.085632616Z",
            "id": "IN-MAL-2026-003415"
        }
    ]
}
References
Credits

Affected packages

npm / chalk-tempalte

Package

Affected ranges

Affected versions

1.*
1.0.14
1.0.15
1.0.16
1.0.17
1.0.19
1.0.20

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chalk-tempalte-1.0.17.tgz",
            "hashes": {
                "sha512_sri": "sha512-LTXWiDvzVb76+cSz4H38Xgw58ZQrbY0eMVpoh3kBBGrflw5/yxogb066CZNNHgIDG4QInxxqowCHF3pKJH1X0A==",
                "sha1": "de43a8c6ffd8984edfce333242997184360afe1e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ffba9bdd6793edd5b38e12900252c1813a693f59c25af51c3b658cf3f27b6162",
            "path": "postinstall.js",
            "tlsh": "218230a103f615650d63ddadeb4350016922d2433900b95c7fed6fc82f1b52eaaf2bb8"
        }
    ],
    "domains": [
        "api.ipify.org",
        "b94b6bcfa27554.lhr.life"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-tempalte/MAL-2026-4517.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]