OSV ID
MAL-2026-6470
Ecosystem
npm
Summary
Package name chlklib is a one-character deletion of the popular chalk package and replicates chalk's public API surface (Chalk, chalkStderr, supportsColor, colorNames). On require/import, the main entry invokes getOriginal() at module top level, which POSTs to https://funnystore.org/lib/index.php, XOR-decodes the response body with a hardcoded key, and passes the result to eval() (see dist/vendor/original-color/index.cjs around line 55, invoked from dist/index.cjs). Any developer who installs and requires this package — most likely after mistyping chalk — immediately executes attacker-controlled JavaScript fetched at runtime from funnystore.org. The remote endpoint is mutable and unrelated to the package's stated 'terminal prompt' purpose, giving the operator full RCE on the installer's machine on every require. The XOR-then-eval obfuscation and typosquat-with-replicated-API shape together match a deliberate dropper campaign rather than any legitimate use case.
Source: amazon-inspector (b08a933891c92fdec26fbadf4921d2e08ff101126fb656a2b57d747fefa9d0d4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.