OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10584 confirms this npm version as malicious. package.json declares a postinstall hook that runs.init.js on npm install. The script enumerates ~65 credential and CI environment variables (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, cloud provider tokens, private keys), reads home-directory credential files including ~/.npmrc, ~/.env*, config.json, and credentials.json, and scans ~/.config for files matching token/cred/secret patterns...
Advisory
MAL-2026-10584
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chalkdevx (npm)
Details
package.json declares a postinstall hook that runs.init.js on npm install. The script enumerates ~65 credential and CI environment variables (NPM_TOKEN, GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY, STRIPE_*, DOCKER_*, cloud provider tokens, private keys), reads home-directory credential files including ~/.npmrc, ~/.env*, config.json, and credentials.json, and scans ~/.config for files matching token/cred/secret patterns. Collected data — together with host identifiers (os.hostname(), os.platform(), cwd, pid) — is POSTed as JSON to a hardcoded https://webhook.cool/at/tender-deer-80/... endpoint, a public webhook-inspection service unrelated to any declared package purpose. The package's declared functionality is trivial (empty description, minimal index.js); the credential-harvesting postinstall is the package's actual behavior. The name resembles the popular `chalk` package.
Decision reason
OpenSSF Malicious Packages via OSV confirms chalkdevx@2.0.0 as malicious (MAL-2026-10584): Malicious code in chalkdevx (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory