chalk-utils @2.0.0

Summary

On npm install , postinstall.js runs a credential and cryptocurrency stealer against the installer's machine. It reads ~/.npmrc (extracting _authToken and npm_* tokens), ~/.git-credentials, and ~/.env (extracting values keyed by token/secret/password/api/aws/gcp/stripe patterns), then iterates a hardcoded list of 71 browser extension IDs for major crypto wallets (MetaMask, Phantom, Coinbase Wallet, Exodus, Trust, Binance, OKX, Ledger Live, Trezor, and others) across Chrome/Brave/Edge/Chromium/Vivaldi/Opera profiles, reading each extension's Local Extension Settings LevelDB .log files and applying regexes for vault , seed , privateKey , mnemonic , password , and encrypted . It additionally walks ~/Documents, ~/Desktop, and ~/Downloads for filenames matching crypto keywords (seed, backup, wallet, phrase, metamask, phantom, vault, key, private), scores file contents against a BIP-39 word list, and harvests any file with >=8 BIP-39 matches along with a 100-character content preview. Harvested data (plus os.hostname() and os.userInfo().username) is POSTed in cleartext to http://149.28.127.35:8888, a bare-IP C2 endpoint overridable via a C2_URL environment variable to support endpoint rotation. The package name chalk-utils masquerades as belonging to the chalk ecosystem while index.js is a dummy stub whose comment reads lodash-js — Just a dummy module. The real payload is in postinstall.js , and postinstall.js self-describes as Token harvester + Crypto wallet scanner. Runs on npm install. Silent. Zero trace.

Source: amazon-inspector (d0fe2974289b691a9f5541068f2e399aecb14a719779202ff5999652ffe351db)