MAL-2026-5710

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-ts/MAL-2026-5710.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5710
Published
2026-06-12T20:34:58Z
Modified
2026-06-12T21:01:43.563856256Z
Summary
Malicious code in chalk-plus-ts (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c)

package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR (a mutable, anonymous JSON paste host) and passes the response's cookie field directly into new Function('require', data.cookie)(require), executing attacker-controlled JavaScript with full Node privileges on every installer machine. The detached child with ignored stdio is designed to suppress visibility of the activity. The package additionally ships lib/utils/smtp-connection/parse.js, which exposes an AES-256-CBC decryption helper with a hardcoded key and IV — consistent with a staged loader for decoding subsequent payloads delivered through the same channel. Identity is laundered: the package name chalk-plus-ts impersonates the popular chalk package, the main entry is a verbatim copy of nodemailer.js, the author field is set to nodemailer's real maintainer (Andris Reinman), and the description field is unrelated React Training boilerplate — all to lure installs from multiple ecosystems.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c",
            "modified_time": "2026-06-12T20:34:58Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006228",
            "import_time": "2026-06-12T20:49:37.79351896Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "4e21033bf30adc04a20f48e89e1cb8ec1544a3d56c12a23b19f11be9ac17666e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T20:34:59Z",
            "id": "IN-MAL-2026-006229",
            "import_time": "2026-06-12T20:49:37.922873011Z"
        }
    ]
}
References
Credits

Affected packages

npm / chalk-plus-ts

Package

Affected ranges

Affected versions

1.*
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chalk-plus-ts-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-OnfSBqmrsMRPnVnRRgusimvi38do+hy8qjYZPSdrM2trfWZD2Boa7cspAtQfjDe2nrsQgo6KIRVT/1JbJf6xMA==",
                "sha1": "e5597cc2c4ca0ae1b07696fed4508ac419b4f2c4"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e72ab44afd0114c64138b8ada7f91c7d12fd09be68ca28973465bed185552323",
            "path": "lib/utils/smtp-connection/index.js",
            "tlsh": "05f0c06a19f35238521b22c94b5b040a3007d007379aed89f7cc87e02fc39909d42fb8"
        },
        {
            "sha256": "4d3da7ac75c39bc24c8e92476867ad33d9e619245caa3756cad97b408e2588d3",
            "path": "package.json",
            "tlsh": "9f41a614cd2a8ce3229425eea46c1183a520d00f8d06b85d734c038c8fce99f36baf2e"
        },
        {
            "sha256": "4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1",
            "path": "lib/utils/smtp-connection/parse.js",
            "tlsh": "7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd"
        }
    ],
    "domains": [
        "www.jsonkeeper.com",
        "github.com",
        "release-assets.githubusercontent.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-ts/MAL-2026-5710.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]