chalk-tempalte @1.0.20
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4517
Ecosystem
npm
Summary
Package name chalk-tempalte is a single-character transposition of the popular chalk-template package (a top-tier npm utility), consistent with deliberate typosquatting. The tarball ships a postinstall.js lifecycle script that imports child_process , performs HTTP GET/POST traffic via http.request(...) , and collects host identifiers ( hostname: fields appear repeatedly throughout the script at lines 20, 46, 287, 409, 427). A second large file, phantom.js , contains multiple POST sinks (lines 1807, 2113, 3183, 6795, 6852). The structural shape — typosquat name + postinstall script that combines child_process, outbound HTTP, and host/system metadata harvesting — matches the credential/host-data exfiltration pattern used by recent npm supply-chain campaigns. Installing this package causes the postinstall hook to fire automatically on npm install , transmitting installer machine data to a remote endpoint and providing a foothold for further code execution.
Source: amazon-inspector (d3e82f6fa2867575be5e57fd3b03dada6a93761c97b240f77f98f4b221bde7a7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.