Malicious code in chalk-plus-ts (npm)

__

Source: amazon-inspector (08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c)

package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR (a mutable, anonymous JSON paste host) and passes the response's cookie field directly into new Function('require', data.cookie)(require), executing attacker-controlled JavaScript with full Node privileges on every installer machine. The detached child with ignored stdio is designed to suppress visibility of the activity. The package additionally ships lib/utils/smtp-connection/parse.js, which exposes an AES-256-CBC decryption helper with a hardcoded key and IV — consistent with a staged loader for decoding subsequent payloads delivered through the same channel. Identity is laundered: the package name chalk-plus-ts impersonates the popular chalk package, the main entry is a verbatim copy of nodemailer.js, the author field is set to nodemailer's real maintainer (Andris Reinman), and the description field is unrelated React Training boilerplate — all to lure installs from multiple ecosystems.