VYPR

npm · Malicious package advisory

Malware

chalk-tempalte

MAL-2026-4517

Malicious code in chalk-tempalte (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7)
Package name `chalk-tempalte` is a single-character transposition of the popular `chalk-template` package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a `postinstall.js` lifecycle script that imports `child_process`, performs HTTP GET/POST traffic via `http.request(...)`, and collects host identifiers (`hostname:` fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, `phantom.js`, contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on `npm install`, transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.

Compromised versions (6)

  • 1.0.15
  • 1.0.16
  • 1.0.14
  • 1.0.17
  • 1.0.19
  • 1.0.20

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.