Package is published under a name riding the popular chalk color-output library but its source tree, README, main entry (lib/nodemailer.js), and lib paths (smtp-connection, mailer, ses-transport, smtp-pool, dkim, mime-funcs) are a verbatim clone of nodemailer. The package.json description is an unrelated React Training copyright string and the homepage points at a lookalike domain (chalk-plus-js.com). On install, the postinstall hook node lib/utils/index.js spawns lib/utils/smtp-connection/index.js as a detached child with stdio fully silenced (spawn(process.execPath, [filePath], { detached: true, stdio: ['ignore','ignore','ignore'] }); child.unref()), so the dropper survives npm install exit with no console output. The target file is heavily obfuscated using a custom-alphabet string array and per-block decoders inside try/catch wrappers; decoded values are fed to require(...), spawn(...), and the argument pattern ['-e', <decoded>] with shell: true — i.e. it executes attacker-controlled code through a shell at install time. The payload requires axios, fs, path, child_process, and the package's runtime dependency footprint (axios, socket.io-client, sqlite3, request) is consistent with HTTP/websocket C2 plus local persistence — none of which a nodemailer clone needs. Any developer who mistypes or trusts the name chalk-plus-js executes attacker code with their own privileges on npm install.