rules:
- id: ssc-mal-deps-mit-2025-09-chalk-debug-color
  message: Affected versions of ansi-regex, ansi-styles, backslash, chalk, chalk-template,
    color-convert, color-name, color-string, debug, error-ex, has-ansi, is-arrayish,
    simple-swizzle, slice-ansi, strip-ansi, supports-color, supports-hyperlinks, and
    wrap-ansi are vulnerable to Embedded Malicious Code.
  severity: ERROR
  metadata:
    license: MIT License
    confidence: HIGH
    category: security
    cve: ''
    cwe:
    - 'CWE-506: Embedded Malicious Code'
    ghsa: GHSA-cust-0000-0007
    owasp:
    - A06:2021 - Vulnerable and Outdated Components
    publish-date: '2025-09-08T08:57:00Z'
    references:
    - https://github.com/advisories/GHSA-cust-0000-0007
    - https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
    - https://semgrep.dev/blog/2025/chalk-debug-and-color-on-npm-compromised-in-new-supply-chain-attack
    sca-fix-versions: []
    sca-kind: upgrade-only
    sca-schema: 20230302
    sca-severity: CRITICAL
    sca-vuln-database-identifier: GHSA-cust-0000-0007
    technology:
    - js
    - ts
    source: https://semgrep.dev/s/0b1Rb
    shortlink: https://semgrep.dev/s/0b1Rb
    semgrep.dev:
      rule:
        r_id: 210454
        rv_id: 1142996
        rule_id: kxUgZJg
        version_id: 7ZTnPZW
        url: https://semgrep.dev/playground/r/7ZTnPZW/semgrep.ssc-mal-deps-mit-2025-09-chalk-debug-color
        origin: custom
  r2c-internal-project-depends-on:
    depends-on-either:
    - namespace: npm
      package: ansi-regex
      version: ==6.2.1
    - namespace: npm
      package: ansi-styles
      version: ==6.2.2
    - namespace: npm
      package: backslash
      version: ==0.2.1
    - namespace: npm
      package: chalk
      version: ==5.6.1
    - namespace: npm
      package: chalk-template
      version: ==1.1.1
    - namespace: npm
      package: color-convert
      version: ==3.1.1
    - namespace: npm
      package: color-name
      version: ==2.0.1
    - namespace: npm
      package: color-string
      version: ==2.1.1
    - namespace: npm
      package: debug
      version: ==4.4.2
    - namespace: npm
      package: error-ex
      version: ==1.3.3
    - namespace: npm
      package: has-ansi
      version: ==6.0.1
    - namespace: npm
      package: is-arrayish
      version: ==0.3.3
    - namespace: npm
      package: simple-swizzle
      version: ==0.2.3
    - namespace: npm
      package: slice-ansi
      version: ==7.1.1
    - namespace: npm
      package: strip-ansi
      version: ==7.1.1
    - namespace: npm
      package: supports-color
      version: ==10.2.1
    - namespace: npm
      package: supports-hyperlinks
      version: ==4.1.1
    - namespace: npm
      package: wrap-ansi
      version: ==9.0.1
    - namespace: npm
      package: duckdb
      version: ==1.3.3
    - namespace: npm
      package: '@duckdb/node-api'
      version: ==1.3.3
    - namespace: npm
      package: '@duckdb/node-bindings'
      version: ==1.3.3
    - namespace: npm
      package: '@duckdb/duckdb-wasm'
      version: ==1.29.2
    - namespace: npm
      package: proto-tinker-wc
      version: ==0.1.87
  languages:
  - js
  - ts