MAL-2026-10583
Malicious code in chalkdev (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (31c82b41c09114082b8c0ac8ba6f7bf5ffad8b7da40478ce409443ef00171619) chalkdev is a near-empty package (index.js exports {}, 11-byte README) whose sole runtime behavior is a postinstall hook that runs `.init.js` on `npm install`. `.init.js` enumerates installer-side secret environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, GOOGLE_APPLICATION_CREDENTIALS), reads credential files from the user's home directory (`~/.npmrc`, `~/.env`, `~/.env.local`, `~/.env.production`, `~/config.json`, `~/credentials.json`), and scans `~/.config` for filenames containing `token`, `cred`, or `secret`. It also collects host identifiers via `os.hostname()` and `os.platform()`. The harvested data is POSTed as JSON to a hardcoded `https://webhook.cool/at/tender-deer-80/...` endpoint. The package name typosquats the popular `chalk` library.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for chalkdev (npm). Pin to a known-safe version or switch to an alternative.