VYPR

npm · Malicious package advisory

Malware

color-style-utils

MAL-2026-4534

Malicious code in color-style-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (47cf4aaa2cd7a20b222a1a4150a7b9e1f79d9b0a09c8fe4a5689e55bad9bc087)
On `npm install`, all three lifecycle hooks (preinstall, install, postinstall) execute postinstall.js, which harvests installer secrets and exfiltrates them to an attacker-controlled localhost.run SSH tunnel at edcf8b03c84634.lhr.life. The script reads ~/.ssh/*, ~/.aws/credentials and config, ~/.config/gcloud, ~/.azure, ~/.npmrc, ~/.kube/config, ~/.docker/config.json, browser profile directories, crypto wallets, VPN configs, shell histories, and dotfiles; dumps process.env; and regex-matches GitHub, AWS, Google, Stripe, Slack, and Discord tokens. It also fingerprints the host via api.ipify.org and ipapi.co (public IP, country, city, ISP, lat/lon, hostname, username, uid/gid, local IPs) and POSTs the full bundle to https://edcf8b03c84634.lhr.life/collect via https.request. The package additionally declares a self-referential dependency on itself (color-style-utils: ^1.0.4) and ships an undeclared ~35 KB sibling file `postinstall2.jsµ` with a non-ASCII suffix that is not referenced by any documented script — both consistent with name-squat/decoy smuggling patterns.

Compromised versions (7)

  • 1.0.9
  • 1.0.8
  • 1.0.3
  • 1.0.7
  • 1.0.4
  • 1.0.5
  • 1.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.