npm · Malicious package advisory
Malwarechlklib
MAL-2026-6470
Malicious code in chlklib (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4) Package name `chlklib` is a one-character deletion of the popular `chalk` package and replicates chalk's public API surface (Chalk, chalkStderr, supportsColor, colorNames). On require/import, the main entry invokes `getOriginal()` at module top level, which POSTs to https://funnystore.org/lib/index.php, XOR-decodes the response body with a hardcoded key, and passes the result to `eval()` (see dist/vendor/original-color/index.cjs around line 55, invoked from dist/index.cjs). Any developer who installs and requires this package — most likely after mistyping `chalk` — immediately executes attacker-controlled JavaScript fetched at runtime from funnystore.org. The remote endpoint is mutable and unrelated to the package's stated 'terminal prompt' purpose, giving the operator full RCE on the installer's machine on every require. The XOR-then-eval obfuscation and typosquat-with-replicated-API shape together match a deliberate dropper campaign rather than any legitimate use case.
Compromised versions (4)
- 1.2.3
- 1.2.2
- 1.2.0
- 1.2.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.