NeuroAgent

Trojan in chalk package: security measures

JetBrains found trojan in chalk package - major npm supply chain attack. Learn how to remove malicious packages, scan your system, and prevent future attacks.

#development-security#malicious-code-removal#npm-security#system-scanning#trojan-in-chalk
Question

JetBrains IDE detected a trojan in the chalk package: what measures should be taken?

  1. Should I scan the entire system? What tools should I use and what are the chances of detecting potentially installed malicious programs?
  2. Should I reinstall Windows? What should I do if other drives are also infected?
  3. Is the criticism of using operating system functions in this case justified?
NeuroAgent

JetBrains IDE Detected a Trojan in Chalk Package - Major npm Supply Chain Attack

JetBrains IDE detected a trojan in the chalk package - this is the result of a major attack on the npm supply chain, affecting 18 popular packages with a total of approximately 2 billion weekly downloads. It is necessary to immediately remove malicious package versions and check the system for additional threats, but a complete Windows reinstall will likely not be required. Using operating system functions in this case is standard security practice when detecting malicious code.

Table of Contents

What happened and which packages are affected

On September 8, 2025, a large-scale attack on the npm supply chain occurred, as a result of which attackers gained control over developer accounts and published malicious versions of popular packages. According to Aikido Security, the attack began at 13:16 UTC and affected 18 widely used JavaScript libraries.

The most affected packages include:

  • chalk (~300 million weekly downloads) - for terminal string styling
  • debug - one of the most popular packages for debugging
  • supports-color - for determining terminal color support
  • ansi-styles - for ANSI code styling
  • strip-ansi - for removing ANSI codes from strings
  • ansi-regex - for regular expressions of ANSI escape sequences

As noted by Sonatype, attackers successfully compromised an npm developer account, which allowed them to publish malicious package versions. Many of the malicious packages were removed from npm less than an hour after discovery.

Important: The malicious code was in specific package versions (for example, in chalk version 5.6.1), so not all versions you installed were affected.

Do you need to scan the entire system

Yes, scanning the entire system is recommended, but with some important caveats. The likelihood of detecting malicious software depends on how exactly the infected package was used.

What malicious code was in the chalk package?

According to GitHub research, the malicious code was on line 11 of the src/index.js file in the chalk package. This code could perform various actions depending on the implementation, but it was mainly aimed at:

  • Data theft
  • Installation of additional malware
  • Modification of system files

System scanning tools

The following tools are recommended:

  1. Antivirus programs:

  2. Specialized utilities for finding malware:

    • Malwarebytes
    • AdwCleaner
    • HitmanPro

  3. Package manager checks:

    bash
    npm audit fix
yarn audit
pnpm audit

Chances of detecting the threat

The chances of detecting potentially installed malicious software depend on:

  • Time of infected package installation - the earlier you installed it, the higher the risk
  • Package functions used - if you simply imported chalk for output styling, the risk is minimal
  • Additional actions - if the package executed system commands, the likelihood of detection increases

Important: Semgrep notes that many malicious packages were quickly removed from npm, but this doesn’t rule out the possibility of them being installed in your projects before removal.

Should you reinstall Windows

A complete Windows reinstall in this case is likely not required, but the decision depends on the specific situation.

When a reinstall might be necessary:

  1. If the malicious code gained administrator privileges and modified system files
  2. If you used the infected package in system scripts or services
  3. If antivirus scanning detected rootkits or complex malware

What to do if other drives are also infected:

  1. Scan all drives using antivirus software
  2. Use bootable antivirus disks to scan outside the operating system
  3. Create backups of important data before removing malware
  4. Format drives only as a last resort if removal doesn’t help

Alternative reinstall options:

  1. System restore to a point before the infected package was installed
  2. Creating a new clean system and transferring data with verification
  3. Using Windows Sandbox to test potentially infected applications

As noted by Vercel, most users can get by without reinstalling the system if they promptly remove malicious packages and perform scanning.

Justification for using OS functions

Criticism of using operating system functions in this case is not fully justified, as this is standard security practice.

Why IDEs use system functions:

  1. Threat detection - modern IDEs, including JetBrains, integrate with system security tools to identify potentially dangerous code
  2. Developer protection - warnings help avoid accidental execution of malicious code
  3. Dependency analysis - IDEs check package security through vulnerability databases

What is criticized:

  • False positives - sometimes IDEs may warn about harmless code
  • Excessive warnings - constant notifications can interfere with work
  • Insufficient contextual information - warnings may be too general

The real situation:

According to The Hacker News, the attack on chalk and debug packages is catastrophic for the software supply chain, and such warnings from IDEs are a necessary security measure.

Expert opinion: As noted by Ilkka Turunen of Sonatype, “what we’re seeing with npm packages chalk and debug is unfortunately common today in the software supply chain”.

Steps to eliminate the threat

Immediate actions:

  1. Check installed package versions:

    bash
    npm list chalk
npm list debug
npm list supports-color

  2. Remove malicious versions:

    bash
    npm uninstall chalk@5.6.1
npm uninstall debug@4.3.7

  3. Update packages to safe versions:

    bash
    npm update chalk
npm update debug

  4. Run a dependency audit:

    bash
    npm audit fix

Additional security measures:

  1. Check all projects for infected dependencies
  2. Use dependency analysis tools like npm outdated and npm outdated --depth=0
  3. Set up automatic updates via npm update --save
  4. Use lock files (package-lock.json, yarn.lock) to lock versions

Preventive measures:

  1. Regularly update dependencies
  2. Use security analysis tools like Snyk or Dependabot
  3. Limit package access rights through package.json
  4. Check package repositories before installation

Long-term security measures

Strengthening the supply chain:

  1. Use vulnerability monitoring tools:

  2. Set up CI/CD pipelines for automatic security checking

  3. Limit the use of external packages to only what’s necessary

Education and awareness:

  1. Follow security news in the npm ecosystem
  2. Train your development team to recognize phishing attacks
  3. Use secure coding practices

Technical solutions:

  1. Use private npm registries for internal packages
  2. Set up package signing and verification
  3. Use containerization to isolate dependencies

As emphasized by Wiz Security, such attacks are becoming increasingly common, and proactive security measures are becoming necessary for modern software development.

Sources

  1. Aikido Security - npm debug and chalk packages compromised
  2. Semgrep Security Alert - chalk, debug and color on npm compromised
  3. Wiz Blog - Widespread npm Supply Chain Attack
  4. CodeAnt AI - NPM Supply-Chain Alert
  5. The Hacker News - 20 Popular npm Packages Compromised
  6. Sonatype Blog - npm Chalk and Debug Packages Hit
  7. Kaspersky Blog - Popular npm packages compromised
  8. Vercel Blog - Critical npm supply chain attack response
  9. GitHub Chalk Issue - Version 5.6.1 published to npm is compromised
  10. Hacker News - NPM debug and chalk packages compromised

Conclusion

Detection of a trojan in the chalk package requires immediate but measured actions. It is necessary to remove malicious package versions, scan the system with antivirus software, but a Windows reinstall is only required in extreme cases. Warnings from JetBrains IDE are a justified security measure in the face of growing attacks on the software supply chain. To prevent similar incidents in the future, it is recommended to use vulnerability monitoring tools, regularly update dependencies, and train developers in safe practices for working with external packages.

How to check which npm packages in my project are vulnerable?How to set up automatic dependency security scanning?How to recover data after removing malware from project?What tools are best for analyzing npm package security?How to prevent similar supply chain attacks in the future?How to check security of private npm registries?
Ask NeuroAgent