MAL-2026-6357
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/theme-color-picker/MAL-2026-6357.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6357
- Aliases
-
- GHSA-89wv-9w8v-q55g
- Published
- 2026-06-23T21:53:28Z
- Modified
- 2026-06-26T05:46:25.864280033Z
- Summary
- Malicious code in theme-color-picker (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f7a4ba7e8664b9e1d99c4018963a4731d591653d7f2a9b879ba090e7a7f6e7bd)
Although the package presents itself as a 'theme color picker', package.json identifies the publisher as analysis-chart.io with repository analysis-chart/analysis-chart, and the shipped lib/picker.js is a Windows dropper unrelated to any color-picker functionality. lib/picker.js (line 11) downloads https://github.com/Analysis-Chart/analysis-chart/releases/download/v1/payload.bin.enc, XOR-decrypts the response with key 0x42, base64-decodes it, validates an MZ/PE header, writes the resulting DLL under %APPDATA%/Microsoft/Windows with a randomized name, and executes it via rundll32. It then registers a Scheduled Task named 'WindowsUpdateService' to re-launch the DLL at logon with HIGHEST privileges, deletes the package files from nodemodules, and rewrites the consumer's root package.json to remove the 'analysis-chart' dependency entry to hide its tracks. package.json declares scripts.install: 'node lib/chart-loader.js', wiring auto-execution at npm install; the dropper logic is colocated in lib/ alongside that hook. The user-facing index.js color-picker is cover. Installer impact: Windows machines that run
npm installof this package fetch and execute attacker-controlled native code with persistence; the malicious tree then self-removes from nodemodules and the root manifest, complicating detection.Source: ghsa-malware (04a43ae572f003d8f3abcb0f2b6b0e649e45eac9ac30db2f5924e87a670c0e79)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "2.0.28" ], "modified_time": "2026-06-23T21:54:10Z", "sha256": "b6c09be3eb1dc3366475cc81c7891df6efb6b246b644e9700c50fee0ba035f2c", "id": "IN-MAL-2026-007385", "source": "amazon-inspector", "import_time": "2026-06-23T22:31:28.42724117Z" }, { "versions": [ "2.0.31" ], "modified_time": "2026-06-23T21:53:31Z", "sha256": "f6d983ef80a9e7b5526921781d11369f3ef01e5b86a9250ce284f93006161c5a", "id": "IN-MAL-2026-007382", "source": "amazon-inspector", "import_time": "2026-06-23T22:31:28.137682362Z" }, { "versions": [ "2.0.30" ], "modified_time": "2026-06-23T21:53:28Z", "sha256": "f7a4ba7e8664b9e1d99c4018963a4731d591653d7f2a9b879ba090e7a7f6e7bd", "id": "IN-MAL-2026-007381", "source": "amazon-inspector", "import_time": "2026-06-23T22:31:28.001262679Z" }, { "source": "ghsa-malware", "modified_time": "2026-06-26T05:13:36Z", "sha256": "04a43ae572f003d8f3abcb0f2b6b0e649e45eac9ac30db2f5924e87a670c0e79", "id": "GHSA-89wv-9w8v-q55g", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-26T05:41:02.341716824Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / theme-color-picker
Package
- Name
- theme-color-picker
- View open source insights on deps.dev
- Purl
- pkg:npm/theme-color-picker
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-rKLDLAZuvJoG7aacSnNm4t8uG5tkrJIIkmL49IPioxMOpkKR8Bs8WlGFecyzne2NfFN4ng5p90btFqzcBnOHZg==",
"sha1": "550c513b7c5cce82f93eb1c561ad5c156f1c6391"
},
"filename": "theme-color-picker-2.0.28.tgz"
}
],
"evidence_files": [
{
"path": "lib/chart-loader.js",
"tlsh": "c7a14196a561a13085b1ebf9d363911eed67a2133241c3d4fa5cd1901fb35688163efc",
"sha256": "d73d6e84bd46297974084f1a61b22db99d20e550399e170ca04cb8c7ebe41ff1"
},
{
"path": "package.json",
"tlsh": "f3f04c27d911cd2755f4536748ae4a06f3120f2f10754c0739b3142d0f73196109bb2a",
"sha256": "d85c000f2ca43a532c3aebf68e30db250df6d348afe85a7d9740cdf7d893164f"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/theme-color-picker/MAL-2026-6357.json"