Recent research has uncovered malicious clones of popular Node.js libraries, chokidar and chalk, created by an attacker named davn118. These clones contain destructive code that can delete critical project files and exfiltrate sensitive environment variables. The findings highlight the ongoing risks of supply chain attacks targeting widely used libraries. Affected: chokidar, chalk
Keypoints :
- Chokidar and chalk are popular Node.js libraries with millions of weekly downloads.
- Malicious packages impersonating these libraries were discovered, created by the attacker davn118.
- These clones include a kill switch function and a data exfiltration routine.
- The malicious code can delete important project directories like .git and .vscode.
- Chalk has been a target for supply chain attacks before, indicating a pattern of exploitation.
- The attacker publishes multiple near-identical packages to confuse users.
- Socket threat research team flagged these malicious packages as severe risks.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
- T1059.007 — Command and Scripting Interpreter: JavaScript
- T1036.005 — Masquerading: Match Legitimate Name or Location
- T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
- T1546.016 — Event Triggered Execution: Installer Packages
- T1005 — Data from Local System
- T1485 – Data Destruction
Indicator of Compromise :
- [domain] yc.cnzzsoft[.]com
- [file name] cschokidar-next
- [file name] achokidar-next
- [file name] achalk-next
- [others ioc] Hardcoded passwords: fwfmiao624093599, preview, vabp
- Check the article for all found IoCs.
Full Research: https://socket.dev/blog/kill-switch-hidden-in-npm-packages-typo-squatting-chalk-and-chokidar