OSV-MAL-2026-5709

Malicious code in chalk-plus-js (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f5351482f03a50cab8a28b6aa7c992c960a55c6889634d2a04bb86a157ac18d1) Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry (lib/nodemailer.js), and lib paths (smtp-connection, mailer, ses-transport, smtp-pool, dkim, mime-funcs) are a verbatim clone of nodemailer. The package.json description is an unrelated React Training copyright string and the homepage points at a lookalike domain (chalk-plus-js.com). On install, the postinstall hook `node lib/utils/index.js` spawns lib/utils/smtp-connection/index.js as a detached child with stdio fully silenced (`spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }); child.unref()`), so the dropper survives `npm install` exit with no console output. The target file is heavily obfuscated using a custom-alphabet string array and per-block decoders inside try/catch wrappers; decoded values are fed to `require(...)`, `spawn(...)`, and the argument pattern `['-e', <decoded>]` with `shell: true` — i.e. it executes attacker-controlled code through a shell at install time. The payload requires axios, fs, path, child_process, and the package's runtime dependency footprint (axios, socket.io-client, sqlite3, request) is consistent with HTTP/websocket C2 plus local persistence — none of which a nodemailer clone needs. Any developer who mistypes or trusts the name chalk-plus-js executes attacker code with their own privileges on `npm install`.