Ossprey Security has detected two malicious npm packages published by the same actor that disguise themselves as popular developer tools and silently drain crypto wallets from developer machines.

We are currently attributing these packages to the DPRK Contagious Interview / FAMOUS CHOLLIMA campaign. This campaign mostly targets developers, with fake interviews, making them install malicious NPM packages as part of the process.

The packages - chalk-ultra and vitest-cli - impersonate chalk (the most-downloaded terminal coloring library in the Node.js ecosystem) and vitest (a widely-used testing framework). A developer installing either package gets malware instead.

Ossprey has reported, both packages, the C2 host and any other IOCs to the relevant providers.

What These Packages Actually Do

On installation, both packages run a hidden script in the background - one that the developer never sees and that leaves no trace in the terminal output. That script connects to an attacker-controlled server and downloads a second payload, which then runs silently on the developer's machine.

The payload does four things:

It checks whether you're a real target. Before doing anything harmful, it detects virtual machines and sandboxes commonly used by security researchers. This is a deliberate step to avoid analysis.

It steals files from your machine. It walks your filesystem looking for anything valuable: .env files, private keys, seed phrases, source code, credentials stored in config files. Everything it finds gets uploaded to the attacker.

It raids your browser. It pulls saved passwords, autofill data, and the local databases of 52 different cryptocurrency wallet browser extensions - including MetaMask, Phantom, Trust Wallet, and Coinbase Wallet - from Chrome, Brave, Edge, and Opera.

It replaces MetaMask. This is the most damaging part. The malware kills Chrome, downloads a trojanized version of the MetaMask extension from the attacker's server, installs it, and rewrites Chrome's internal configuration to make it permanent. The next time you open Chrome, you're running the attacker's MetaMask - which captures your wallet password when you unlock it.

Same Actor, Two Packages

The npm publisher venusqq_1234 is behind both chalk-ultra and vitest-cli. Both packages use an identical delivery mechanism: they fetch the malicious payload from jsonkeeper[.]com, a free anonymous service that lets anyone store and update JSON data. Because the actual malware lives on that external service rather than inside the package itself, the attacker can change the payload at any time without publishing a new package version - which makes it harder to catch with tools that only scan package contents.

The use of jsonkeeper[.]com as a payload host, combined with the detached background execution and the MetaMask replacement technique, are consistent with the Contagious Interview campaign - a long-running operation attributed to North Korean threat actors that has targeted software developers through fake job interviews and malicious npm packages since at least 2023. Attribution for these specific packages is unconfirmed, but the overlap in tooling and targets is significant.

We previously documented the same credential-harvesting approach in the Megalodon campaign.

Who Is at Risk

Any developer who installed chalk-ultra (versions 12.0.14 or 12.0.15) or vitest-cli (version 1.0.9) on a Windows, macOS, or Linux machine should treat that machine as compromised.

The packages target developer workstations specifically - the machines most likely to have cloud credentials, API keys, GitHub tokens, and cryptocurrency wallets stored locally. A single install during a npm install on a new project or a CI run is enough.

What to Do

If either package appears in your dependency tree or lockfile, act now:

1. Remove chalk-ultra and vitest-cli from all projects and lockfiles.

2. Check your MetaMask installation in Chrome at chrome://extensions. If it loads from a local folder path rather than the Chrome Web Store, uninstall it, reinstall from the Web Store, generate a new seed phrase, and move your funds before connecting to any dapp (Decentralised crypto app, basically a smart contract).

3. Rotate everything that was on that machine: cloud credentials, API keys, npm tokens, SSH keys, and any .env files that contain secrets.

4. Block outbound connections to 138.201.140[.]23 on ports 4553, 4556, and 4558.

5. Report both packages to the npm security team at security@npmjs.com if they are still live.

A Note from Ossprey

Ossprey's threat-hunting pipeline flagged chalk-ultra through postinstall hook behavioral analysis and source-code reuse detection, the package ships a verbatim copy of the nodemailer library as cover, which matched against our known-legitimate package corpus. The jsonkeeper[.]com payload delivery pattern is tracked as a high-confidence behavioral signal across this campaign family, which is how we linked chalk-ultra and vitest-cli to the same actor.

If your team relies on open-source dependencies, book a demo to see how Ossprey can catch this class of attack before it reaches a developer's machine.