OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10583 confirms this npm version as malicious. chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory...
Advisory
MAL-2026-10583
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chalkdev (npm)
Details
chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory (`~/.npmrc`, `~/.env`, `~/.env.local`, `~/.env.production`, `~/config.json`, `~/credentials.json`), and scans `~/.config` for filenames containing `token`, `cred`, or `secret`. It also collects host identifiers via `os.hostname()` and `os.platform()`. The harvested data is POSTed as JSON to a hardcoded `https://webhook.cool/at/tender-deer-80/...` endpoint. The package name typosquats the popular `chalk` library.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Trivial
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present