npm · Malicious package advisory
Malwarechalk-tempalte
MAL-2026-4517
Malicious code in chalk-tempalte (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7) Package name `chalk-tempalte` is a single-character transposition of the popular `chalk-template` package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a `postinstall.js` lifecycle script that imports `child_process`, performs HTTP GET/POST traffic via `http.request(...)`, and collects host identifiers (`hostname:` fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, `phantom.js`, contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on `npm install`, transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.
Compromised versions (6)
- 1.0.15
- 1.0.16
- 1.0.14
- 1.0.17
- 1.0.19
- 1.0.20
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.