Which versions of chalk-plus-ts are malicious?

The following npm versions of chalk-plus-ts are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate chalk-plus-ts if I installed it?

Remove chalk-plus-ts from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is chalk-plus-ts part of a known attack campaign?

Yes — chalk-plus-ts is associated with the IN-MAL-2026-006228, IN-MAL-2026-006229 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect chalk-plus-ts in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking chalk-plus-ts and packages like it before any post-install script runs.

Malicious package

chalk-plus-tsnpm

Malicious code in chalk-plus-ts (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5710

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall chalk-plus-ts

What this malware does

package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That script fetches https://www.jsonkeeper.com/b/QHDXR (a mutable, anonymous JSON paste host) and passes the response's cookie field directly into new Function('require', data.cookie)(require), executing attacker-controlled JavaScript with full Node privileges on every installer machine. The detached child with ignored stdio is designed to suppress visibility of the activity. The package additionally ships lib/utils/smtp-connection/parse.js, which exposes an AES-256-CBC decryption helper with a hardcoded key and IV — consistent with a staged loader for decoding subsequent payloads delivered through the same channel. Identity is laundered: the package name chalk-plus-ts impersonates the popular chalk package, the main entry is a verbatim copy of nodemailer.js, the author field is set to nodemailer's real maintainer (Andris Reinman), and the description field is unrelated React Training boilerplate — all to lure installs from multiple ecosystems.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c

4e21033bf30adc04a20f48e89e1cb8ec1544a3d56c12a23b19f11be9ac17666e

Frequently asked questions

No. chalk-plus-ts on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006228IN-MAL-2026-006229

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection