VDB
KO

MAL-2026-10583

Malicious code in chalkdev (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (31c82b41c09114082b8c0ac8ba6f7bf5ffad8b7da40478ce409443ef00171619) chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory (`~/.npmrc`, `~/.env`, `~/.env.local`, `~/.env.production`, `~/config.json`, `~/credentials.json`), and scans `~/.config` for filenames containing `token`, `cred`, or `secret`. It also collects host identifiers via `os.hostname()` and `os.platform()`. The harvested data is POSTed as JSON to a hardcoded `https://webhook.cool/at/tender-deer-80/...` endpoint. The package name typosquats the popular `chalk` library.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chalkdev

No fixed version published yet for chalkdev (npm). Pin to a known-safe version or switch to an alternative.

References