MAL-2026-6470
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chlklib/MAL-2026-6470.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6470
- Published
- 2026-06-25T18:27:36Z
- Modified
- 2026-06-25T19:31:22.812549937Z
- Summary
- Malicious code in chlklib (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4)
Package name
chlklibis a one-character deletion of the popularchalkpackage and replicates chalk's public API surface (Chalk, chalkStderr, supportsColor, colorNames). On require/import, the main entry invokesgetOriginal()at module top level, which POSTs to https://funnystore.org/lib/index.php, XOR-decodes the response body with a hardcoded key, and passes the result toeval()(see dist/vendor/original-color/index.cjs around line 55, invoked from dist/index.cjs). Any developer who installs and requires this package — most likely after mistypingchalk— immediately executes attacker-controlled JavaScript fetched at runtime from funnystore.org. The remote endpoint is mutable and unrelated to the package's stated 'terminal prompt' purpose, giving the operator full RCE on the installer's machine on every require. The XOR-then-eval obfuscation and typosquat-with-replicated-API shape together match a deliberate dropper campaign rather than any legitimate use case. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.2.3" ], "modified_time": "2026-06-25T18:27:36Z", "sha256": "136a65e3a9bd3712d0e949a0a9b56747918d7d1436cbad01e204ab23ff5e990f", "id": "IN-MAL-2026-007526", "source": "amazon-inspector", "import_time": "2026-06-25T19:13:49.230688071Z" }, { "versions": [ "1.2.2" ], "modified_time": "2026-06-25T18:27:37Z", "sha256": "766413ce8bb9e5a330bf1a6f878e75a03528339df61dac409a66a06218e082d4", "id": "IN-MAL-2026-007527", "source": "amazon-inspector", "import_time": "2026-06-25T19:13:49.311925244Z" }, { "versions": [ "1.2.0" ], "modified_time": "2026-06-25T18:27:41Z", "sha256": "b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4", "id": "IN-MAL-2026-007529", "source": "amazon-inspector", "import_time": "2026-06-25T19:13:49.484821524Z" }, { "versions": [ "1.2.1" ], "modified_time": "2026-06-25T18:27:38Z", "sha256": "fe013bde99ee7eafc14dc4db6ac67e239dd3ee3be046c2444c69b07181b236a3", "id": "IN-MAL-2026-007528", "source": "amazon-inspector", "import_time": "2026-06-25T19:13:49.3560492Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / chlklib
Package
- Name
- chlklib
- View open source insights on deps.dev
- Purl
- pkg:npm/chlklib
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "chlklib-1.2.3.tgz",
"hashes": {
"sha512_sri": "sha512-cPRZlR3K2900J28CU0nKgvvVtn5mgWHdVKiQm51kQ0tWH6vrcKh0P4yRDbF2NadaRh7myQl28LgWAtLM2An0nQ==",
"sha1": "d6a4a13aa087d2a0328b196fe0487a8a7aaf2e26"
}
}
],
"evidence_files": [
{
"path": "dist/vendor/original-color/index.cjs",
"tlsh": "6251c647a6f4615a11f244fa632faa0177bea2e81108d958f6acc2f50fc642144d4aef",
"sha256": "9faf80b37a3d9554bbe8b3ff443a6a114ce7c29ead29deaef766f2701cc52243"
},
{
"path": "package.json",
"tlsh": "8031b318c8b06ed77aca26b4aa5e8b56667140070a546f0433cd412c0fcc2df8aff1ce",
"sha256": "f393aaa919fad51bf578515115f26444534b2957186fc22bc9a24fb8e47465a3"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chlklib/MAL-2026-6470.json"