registry  /  chalkdev  /  1.0.0

chalkdev@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10583 confirms this npm version as malicious. chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory...

Advisory
MAL-2026-10583
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chalkdev (npm)
Details
chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory (`~/.npmrc`, `~/.env`, `~/.env.local`, `~/.env.production`, `~/config.json`, `~/credentials.json`), and scans `~/.config` for filenames containing `token`, `cred`, or `secret`. It also collects host identifiers via `os.hostname()` and `os.platform()`. The harvested data is POSTed as JSON to a hardcoded `https://webhook.cool/at/tender-deer-80/...` endpoint. The package name typosquats the popular `chalk` library.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 18 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present