MAL-2026-5709

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-js/MAL-2026-5709.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5709
Published
2026-06-12T20:38:05Z
Modified
2026-06-12T21:01:43.422114461Z
Summary
Malicious code in chalk-plus-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1)

Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry (lib/nodemailer.js), and lib paths (smtp-connection, mailer, ses-transport, smtp-pool, dkim, mime-funcs) are a verbatim clone of nodemailer. The package.json description is an unrelated React Training copyright string and the homepage points at a lookalike domain (chalk-plus-js.com). On install, the postinstall hook node lib/utils/index.js spawns lib/utils/smtp-connection/index.js as a detached child with stdio fully silenced (spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }); child.unref()), so the dropper survives npm install exit with no console output. The target file is heavily obfuscated using a custom-alphabet string array and per-block decoders inside try/catch wrappers; decoded values are fed to require(...), spawn(...), and the argument pattern ['-e', <decoded>] with shell: true — i.e. it executes attacker-controlled code through a shell at install time. The payload requires axios, fs, path, child_process, and the package's runtime dependency footprint (axios, socket.io-client, sqlite3, request) is consistent with HTTP/websocket C2 plus local persistence — none of which a nodemailer clone needs. Any developer who mistypes or trusts the name chalk-plus-js executes attacker code with their own privileges on npm install.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.0.4"
            ],
            "sha256": "f4dd85fdba129ac0e507f8ba04076974f722c3494d8abd938c89c6063e1364fc",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T20:38:06Z",
            "id": "IN-MAL-2026-006234",
            "import_time": "2026-06-12T20:49:38.373105072Z"
        },
        {
            "versions": [
                "7.0.4"
            ],
            "sha256": "f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T20:38:05Z",
            "id": "IN-MAL-2026-006233",
            "import_time": "2026-06-12T20:49:38.270139857Z"
        }
    ]
}
References
Credits

Affected packages

npm / chalk-plus-js

Package

Affected ranges

Affected versions

7.*
7.0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chalk-plus-js-7.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-0KW66VFZzWfvoq1BqLsviZyEogV8t3Th45OhOOqBt4cbHV0yxqFBMTMgpFZfR44hJE4XnUHk/zTSK5o24DwfYw==",
                "sha1": "042daaba915c2b5c4a7fe3e12a2e23ffd5690e6e"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
            "path": "lib/utils/index.js",
            "tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da"
        },
        {
            "sha256": "bd09a61b5a7ea75f15ca436de5235ff6e5cdb10eeb2ef02b9b9d6d03f7817f18",
            "path": "lib/utils/smtp-connection/index.js",
            "tlsh": "a1332a41d0d2ffedd9ac60da1666a60c4d208d6ad7c8328d2647e03f9e7098653fdbc8"
        },
        {
            "sha256": "9a31639305d240164e958ed719bb7827ff91420c69e9ed1e4e7de8a5e1c03e7b",
            "path": "package.json",
            "tlsh": "5041cc15cd6a8ce3229525edb47c12836560d00f8d06b85d734c138c4f8e99f36b9f5d"
        }
    ],
    "domains": [
        "github.com",
        "release-assets.githubusercontent.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-js/MAL-2026-5709.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]