Query Details
Detect Compromised Chalk Packages
Query
# *Find Compromised Aikido Chalk npm Packages*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1195 | Supply Chain Compromis | https://attack.mitre.org/techniques/T1195 |
#### Description
This rule identifies devices that have specific versions of npm packages installed. It defines a list of required npm packages and their exact versions. It then queries the 'DeviceTvmSoftwareInventory' table to find all installed npm packages on devices. Finally, it joins these two datasets to pinpoint devices where the specified packages are present with their exact required versions. This type of rule is useful for identifying software supply chain compromises where specific malicious versions of legitimate packages are distributed.
#### Risk
Compromised npm Packages
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
- https://www.youtube.com/watch?v=4caJw0JJZTQ (John Hammond on Youtube)
## Defender XDR
```KQL
// List of npm packages and versions to be checked
let required_packages_and_versions = datatable(Package:string, Version:string)
[
"backslash", "0.2.1",
"chalk-template", "1.1.1",
"supports-hyperlinks", "4.1.1",
"has-ansi", "6.0.1",
"simple-swizzle", "0.2.3",
"color-string", "2.1.1",
"error-ex", "1.3.3",
"color-name", "2.0.1",
"is-arrayish", "0.3.3",
"slice-ansi", "7.1.1",
"color-convert", "3.1.1",
"wrap-ansi", "9.0.1",
"ansi-regex", "6.2.1",
"supports-color", "10.2.1",
"strip-ansi", "7.1.1",
"chalk", "5.6.1",
"debug", "4.4.2",
"ansi-styles", "6.2.2"
];
// Create a list of tuples (Package name, Version) from the required table
let required_list = required_packages_and_versions
| extend CombinedKey = pack_array(Package, Version)
| summarize RequiredKeys = make_list(CombinedKey);
//Find all installed packages that belong to the required names
let installed_packages =
DeviceTvmSoftwareInventory
| where SoftwareVendor == "npm" or SoftwareName in (required_packages_and_versions | project Package)
| project DeviceName, Package = SoftwareName, Version = SoftwareVersion;
// Filter the installed packages by matching the combined key
installed_packages
| extend InstalledKey = pack_array(Package, Version)
| where InstalledKey in (required_list)
| project DeviceName, Package, Version
| order by DeviceName asc, Package asc
```
Explanation
This query is designed to identify devices that have specific versions of certain npm packages installed, which may be compromised. Here's a simplified breakdown of what the query does:
-
Define Target Packages: It starts by listing specific npm packages and their exact versions that are of interest. These packages are suspected to be compromised.
-
Prepare for Comparison: The query creates a list of these package-version pairs to use for comparison with installed packages on devices.
-
Check Installed Packages: It then looks at the 'DeviceTvmSoftwareInventory' table to find all npm packages installed on devices. It specifically filters for packages from the npm vendor or those that match the names in the list of target packages.
-
Identify Matches: The query compares the installed packages against the list of target package-version pairs. It identifies devices where these specific versions of the packages are installed.
-
Output Results: Finally, it outputs a list of devices along with the package names and versions that match the criteria, sorted by device and package name.
This query is useful for detecting potential supply chain compromises by identifying devices with specific versions of npm packages that are known or suspected to be malicious.
Details
Benjamin Zulliger
Released: November 21, 2025
Tables
Keywords
Operators