MAL-2026-10495

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@quukk/opencode-clawmessenger/MAL-2026-10495.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10495
Published
2026-07-13T21:29:25Z
Modified
2026-07-13T22:01:56.872335597Z
Summary
Malicious code in @quukk/opencode-clawmessenger (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (74e48f1438950e47277df7d6b0df77f7e2ecf2315323b0012a293299bbb91b9c)

The package is a remote-controlled bridge: after the user runs opencode-clawmessenger setup and binds via QR code, the installed wrapper authenticates to https://newsradar.dreamdt.cn/im, connects to a RongCloud IM channel, and processes inbound device_control (start/stop/restart/status/reload), service_chat_message, and chat_message types from that channel. Chat content is forwarded to a local OpenCode AI session at http://127.0.0.1:19877 and responses are returned over IM (dist/core/message-handler.js: case RongyunMessageTypeEnum[...DEVICE_CONTROL...]: await this['handleDeviceControl'](...) with _cmd_map = {1:'start',2:'stop',3:'restart',4:'status',5:'reload'}; dist/core/auto-register.js: DEFAULT_SERVER_URL='https://newsradar.dreamdt.cn/im'). Whoever controls the dreamdt.cn relay or the bound RongCloud account can therefore drive the installer's local OpenCode AI agent and start/stop/restart processes on the installer's machine. Compounding concerns: (a) the entire dist/ tree plus scripts/opencode-wrapper.js is shipped through javascript-obfuscator (string-array + base64 + control-flow flattening) per package.json's prepublishOnly: npm run build && npm run obfuscate, hiding the full set of message handlers from review; (b) getAppSecret() in dist/core/auto-register.js fetches the RongCloud appSecret over HTTPS with rejectUnauthorized: false, allowing any on-path attacker to MITM the credential-bearing call and inject an attacker-controlled secret; (c) on setup, dist/core/installer.js renames the system opencode binary to opencode-original.* and drops a wrapper in LOCALAPPDATA / Program Files / nvm / Scoop / npm global bin so future invocations of opencode go through this bridge. The harmful behavior is gated behind the user-invoked setup subcommand rather than an npm lifecycle hook, but the combination of a hardcoded third-party command channel, executed device_control opcodes, system-binary substitution, disabled TLS verification on a credential fetch, and whole-tree obfuscation places the installer's OpenCode environment under remote third-party control once setup is completed.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:29:25Z",
            "versions": [
                "1.1.10"
            ],
            "sha256": "74e48f1438950e47277df7d6b0df77f7e2ecf2315323b0012a293299bbb91b9c",
            "id": "IN-MAL-2026-010323",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T21:49:33.791356972Z"
        }
    ]
}
References
Credits

Affected packages

npm / @quukk/opencode-clawmessenger

Package

Name
@quukk/opencode-clawmessenger
View open source insights on deps.dev
Purl
pkg:npm/%40quukk/opencode-clawmessenger

Affected ranges

Affected versions

1.*
1.1.10

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "cb51f810dca94c6309ca00b16cb7461a6138a8075a18fd1c77e843ad8f1e7bf217fb2e",
            "sha256": "04458c470693984fa12188f2758916d2e9d1dd4c31b590735495e672e38f7314",
            "path": "package.json"
        },
        {
            "tlsh": "9963d8552ea41084338a1ab7b227b8e5e6474ddc74584d8fe2987d2431ea217fef4f70",
            "sha256": "d3f7ed2fb111f86010cac21fbafcfbe9076c597417da6c6b453661edda282eea",
            "path": "dist/core/message-handler.js"
        },
        {
            "tlsh": "9362c5056e95a6c0b34b0b7b3a2334d5d91b08a5342c898fe3047fd43c79293fea5a78",
            "sha256": "9d121474fa90e94c1816e41643d85b091d8c453651d7aa52df9634c63c288e9c",
            "path": "dist/core/auto-register.js"
        },
        {
            "tlsh": "8653c640aac4641423875bbbba2bb0d5f93b0cdd35c44887c119bea87566727e5f3a32",
            "sha256": "3c959c2124dc977abffec74726049fa40f66cd4f1f786041ee546fcbaa1bc5a8",
            "path": "dist/core/installer.js"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@quukk/opencode-clawmessenger/MAL-2026-10495.json"