-= Per source details. Do not edit below this line.=-
Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry (lib/nodemailer.js), and lib paths (smtp-connection, mailer, ses-transport, smtp-pool, dkim, mime-funcs) are a verbatim clone of nodemailer. The package.json description is an unrelated React Training copyright string and the homepage points at a lookalike domain (chalk-plus-js.com). On install, the postinstall hook node lib/utils/index.js spawns lib/utils/smtp-connection/index.js as a detached child with stdio fully silenced (spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }); child.unref()), so the dropper survives npm install exit with no console output. The target file is heavily obfuscated using a custom-alphabet string array and per-block decoders inside try/catch wrappers; decoded values are fed to require(...), spawn(...), and the argument pattern ['-e', <decoded>] with shell: true — i.e. it executes attacker-controlled code through a shell at install time. The payload requires axios, fs, path, child_process, and the package's runtime dependency footprint (axios, socket.io-client, sqlite3, request) is consistent with HTTP/websocket C2 plus local persistence — none of which a nodemailer clone needs. Any developer who mistypes or trusts the name chalk-plus-js executes attacker code with their own privileges on npm install.
{
"malicious-packages-origins": [
{
"versions": [
"7.0.4"
],
"sha256": "f4dd85fdba129ac0e507f8ba04076974f722c3494d8abd938c89c6063e1364fc",
"source": "amazon-inspector",
"modified_time": "2026-06-12T20:38:06Z",
"id": "IN-MAL-2026-006234",
"import_time": "2026-06-12T20:49:38.373105072Z"
},
{
"versions": [
"7.0.4"
],
"sha256": "f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1",
"source": "amazon-inspector",
"modified_time": "2026-06-12T20:38:05Z",
"id": "IN-MAL-2026-006233",
"import_time": "2026-06-12T20:49:38.270139857Z"
}
]
}{
"package_integrity": [
{
"filename": "chalk-plus-js-7.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-0KW66VFZzWfvoq1BqLsviZyEogV8t3Th45OhOOqBt4cbHV0yxqFBMTMgpFZfR44hJE4XnUHk/zTSK5o24DwfYw==",
"sha1": "042daaba915c2b5c4a7fe3e12a2e23ffd5690e6e"
}
}
],
"evidence_files": [
{
"sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
"path": "lib/utils/index.js",
"tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da"
},
{
"sha256": "bd09a61b5a7ea75f15ca436de5235ff6e5cdb10eeb2ef02b9b9d6d03f7817f18",
"path": "lib/utils/smtp-connection/index.js",
"tlsh": "a1332a41d0d2ffedd9ac60da1666a60c4d208d6ad7c8328d2647e03f9e7098653fdbc8"
},
{
"sha256": "9a31639305d240164e958ed719bb7827ff91420c69e9ed1e4e7de8a5e1c03e7b",
"path": "package.json",
"tlsh": "5041cc15cd6a8ce3229525edb47c12836560d00f8d06b85d734c138c4f8e99f36b9f5d"
}
],
"domains": [
"github.com",
"release-assets.githubusercontent.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-js/MAL-2026-5709.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]