MAL-2026-4534
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-style-utils/MAL-2026-4534.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4534
- Published
- 2026-05-20T02:11:31Z
- Modified
- 2026-05-26T06:02:24.664729519Z
- Summary
- Malicious code in color-style-utils (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087)
On
npm install, all three lifecycle hooks (preinstall, install, postinstall) execute postinstall.js, which harvests installer secrets and exfiltrates them to an attacker-controlled localhost.run SSH tunnel at edcf8b03c84634.lhr.life. The script reads ~/.ssh/*, ~/.aws/credentials and config, ~/.config/gcloud, ~/.azure, ~/.npmrc, ~/.kube/config, ~/.docker/config.json, browser profile directories, crypto wallets, VPN configs, shell histories, and dotfiles; dumps process.env; and regex-matches GitHub, AWS, Google, Stripe, Slack, and Discord tokens. It also fingerprints the host via api.ipify.org and ipapi.co (public IP, country, city, ISP, lat/lon, hostname, username, uid/gid, local IPs) and POSTs the full bundle to https://edcf8b03c84634.lhr.life/collect via https.request. The package additionally declares a self-referential dependency on itself (color-style-utils: ^1.0.4) and ships an undeclared ~35 KB sibling filepostinstall2.jsµwith a non-ASCII suffix that is not referenced by any documented script — both consistent with name-squat/decoy smuggling patterns. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-20T02:26:03Z", "versions": [ "1.0.9" ], "sha256": "16a2ac63ceea80ca65ff07cd7a53193b897401be1eb015dfd90cb0d75295bf8b", "id": "IN-MAL-2026-003412", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:35.782634392Z" }, { "modified_time": "2026-05-20T02:50:22Z", "versions": [ "1.0.8" ], "sha256": "c22ac2a127cc9b7c67336ce4cf43e53b1970c64a2a964e7dda025a2123bdf5c0", "id": "IN-MAL-2026-003436", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:38.393649282Z" }, { "modified_time": "2026-05-20T18:38:55Z", "versions": [ "1.0.3" ], "sha256": "da6a7250092f3e9c567f31688ec6135543411ecb5cf6965ef6774ec42eafb1ca", "id": "IN-MAL-2026-003590", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:55.10790025Z" }, { "modified_time": "2026-05-20T02:11:31Z", "versions": [ "1.0.7" ], "sha256": "87fb8a0ae3bd2b5e590100bb23ec07265819216eba9cb99ba0010dd06797d894", "id": "IN-MAL-2026-003399", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:34.261406818Z" }, { "modified_time": "2026-05-20T02:20:23Z", "versions": [ "1.0.4" ], "sha256": "968e7ba9eea340cb571531bc44e6cfc6b542312b4c3470adbf7e084e7896a2d3", "id": "IN-MAL-2026-003405", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:34.941292852Z" }, { "modified_time": "2026-05-20T02:20:23Z", "versions": [ "1.0.4" ], "sha256": "9b4ea1d1a4d8eafd3ea4938b74c3afc1ae8fa3b0af3011913186543c8c56c4ce", "id": "IN-MAL-2026-003404", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:34.839809654Z" }, { "modified_time": "2026-05-20T02:50:58Z", "versions": [ "1.0.5" ], "sha256": "ad7a9aa944e224bf8f065a8e3a0ed84b419749bcb3d2191ac706be73e8936401", "id": "IN-MAL-2026-003439", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:38.723831216Z" }, { "modified_time": "2026-05-20T18:38:55Z", "versions": [ "1.0.3" ], "sha256": "e560402c6bd2f75b2c3bdb46fd0dc67f4ff073701ad63b369df2b1499654a2d5", "id": "IN-MAL-2026-003591", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:55.239662757Z" }, { "modified_time": "2026-05-20T02:50:57Z", "versions": [ "1.0.5" ], "sha256": "47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087", "id": "IN-MAL-2026-003438", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:38.602041175Z" }, { "import_time": "2026-05-26T05:50:35.887161404Z", "versions": [ "1.0.9" ], "sha256": "8e3f3c4ea23f95da7fe79d16bcb6af3cf96a4b8d6918aa9d0d0381d134bff9a5", "id": "IN-MAL-2026-003413", "source": "amazon-inspector", "modified_time": "2026-05-20T02:26:03Z" }, { "modified_time": "2026-05-20T02:50:23Z", "versions": [ "1.0.8" ], "sha256": "a0575ae60cd804b6bb973b55e00ff81f457cea92b576a13cc7c803d6b21a6e7a", "id": "IN-MAL-2026-003437", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:38.499570391Z" }, { "modified_time": "2026-05-20T02:11:31Z", "versions": [ "1.0.7" ], "sha256": "bb9faca24e535571d455ec23147dea8cae065e21162d69688e69ec81dd4924ce", "id": "IN-MAL-2026-003398", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:34.137869512Z" } ] }- References
-
- https://www.npmjs.com/package/color-style-utils/v/1.0.9
- https://www.npmjs.com/package/color-style-utils/v/1.0.8
- https://www.npmjs.com/package/color-style-utils/v/1.0.3
- https://www.npmjs.com/package/color-style-utils/v/1.0.4
- https://www.npmjs.com/package/color-style-utils/v/1.0.5
- https://www.npmjs.com/package/color-style-utils/v/1.0.7
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / color-style-utils
Package
- Name
- color-style-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/color-style-utils
Database specific
indicators
{
"domains": [
"api.ipify.org",
"ipapi.co",
"edd0df80546ec3.lhr.life"
],
"evidence_files": [
{
"sha256": "7a4e9467f792f9c44eefea39f820ee36802c33458705aa96114676188296258a",
"tlsh": "4c8230a103f615650d63dda9eb4350016922d2533900b95c7fed6fc82f1b52eaaf2bb8",
"path": "postinstall.js"
},
{
"sha256": "159129f87df460f5f655a87169220966b0fd4db53339bd2cdd1ae06752ef2c80",
"tlsh": "11f284cb12f6252089a3aa796b0790016537e1537146ed9c7fdc5b881f12f289af1bfc",
"path": "postinstall2.js"
}
],
"package_integrity": [
{
"filename": "color-style-utils-1.0.9.tgz",
"hashes": {
"sha512_sri": "sha512-SFIizF+FxcgPXs8k+wmhYwsvsHvJdIwah2nyY1/Eg33eNTWoTFYTSony6knm5lZAdWaDHQ0n0Uk3Vy1WBbvexw==",
"sha1": "4bd6d022f8a54221b275249eda04850895ce84e8"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-style-utils/MAL-2026-4534.json"