npm · Malicious package advisory
Malwarecolor-style-utils
MAL-2026-4534
Malicious code in color-style-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087) On `npm install`, all three lifecycle hooks (preinstall, install, postinstall) execute postinstall.js, which harvests installer secrets and exfiltrates them to an attacker-controlled localhost.run SSH tunnel at edcf8b03c84634.lhr.life. The script reads ~/.ssh/*, ~/.aws/credentials and config, ~/.config/gcloud, ~/.azure, ~/.npmrc, ~/.kube/config, ~/.docker/config.json, browser profile directories, crypto wallets, VPN configs, shell histories, and dotfiles; dumps process.env; and regex-matches GitHub, AWS, Google, Stripe, Slack, and Discord tokens. It also fingerprints the host via api.ipify.org and ipapi.co (public IP, country, city, ISP, lat/lon, hostname, username, uid/gid, local IPs) and POSTs the full bundle to https://edcf8b03c84634.lhr.life/collect via https.request. The package additionally declares a self-referential dependency on itself (color-style-utils: ^1.0.4) and ships an undeclared ~35 KB sibling file `postinstall2.jsµ` with a non-ASCII suffix that is not referenced by any documented script — both consistent with name-squat/decoy smuggling patterns.
Compromised versions (7)
- 1.0.9
- 1.0.8
- 1.0.3
- 1.0.7
- 1.0.4
- 1.0.5
- 1.0.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.