-= Per source details. Do not edit below this line.=-
package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR (a mutable, anonymous JSON paste host) and passes the response's cookie field directly into new Function('require', data.cookie)(require), executing attacker-controlled JavaScript with full Node privileges on every installer machine. The detached child with ignored stdio is designed to suppress visibility of the activity. The package additionally ships lib/utils/smtp-connection/parse.js, which exposes an AES-256-CBC decryption helper with a hardcoded key and IV — consistent with a staged loader for decoding subsequent payloads delivered through the same channel. Identity is laundered: the package name chalk-plus-ts impersonates the popular chalk package, the main entry is a verbatim copy of nodemailer.js, the author field is set to nodemailer's real maintainer (Andris Reinman), and the description field is unrelated React Training boilerplate — all to lure installs from multiple ecosystems.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.3"
],
"sha256": "08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c",
"modified_time": "2026-06-12T20:34:58Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006228",
"import_time": "2026-06-12T20:49:37.79351896Z"
},
{
"versions": [
"1.0.3"
],
"sha256": "4e21033bf30adc04a20f48e89e1cb8ec1544a3d56c12a23b19f11be9ac17666e",
"source": "amazon-inspector",
"modified_time": "2026-06-12T20:34:59Z",
"id": "IN-MAL-2026-006229",
"import_time": "2026-06-12T20:49:37.922873011Z"
}
]
}{
"package_integrity": [
{
"filename": "chalk-plus-ts-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-OnfSBqmrsMRPnVnRRgusimvi38do+hy8qjYZPSdrM2trfWZD2Boa7cspAtQfjDe2nrsQgo6KIRVT/1JbJf6xMA==",
"sha1": "e5597cc2c4ca0ae1b07696fed4508ac419b4f2c4"
}
}
],
"evidence_files": [
{
"sha256": "e72ab44afd0114c64138b8ada7f91c7d12fd09be68ca28973465bed185552323",
"path": "lib/utils/smtp-connection/index.js",
"tlsh": "05f0c06a19f35238521b22c94b5b040a3007d007379aed89f7cc87e02fc39909d42fb8"
},
{
"sha256": "4d3da7ac75c39bc24c8e92476867ad33d9e619245caa3756cad97b408e2588d3",
"path": "package.json",
"tlsh": "9f41a614cd2a8ce3229425eea46c1183a520d00f8d06b85d734c038c8fce99f36baf2e"
},
{
"sha256": "4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1",
"path": "lib/utils/smtp-connection/parse.js",
"tlsh": "7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd"
}
],
"domains": [
"www.jsonkeeper.com",
"github.com",
"release-assets.githubusercontent.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-plus-ts/MAL-2026-5710.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]