MAL-2026-4368

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@beyondbday/vibe-terminal/MAL-2026-4368.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4368

Withdrawn

2026-05-26T20:50:05Z

Published

2026-05-25T17:23:19Z

Modified

2026-05-27T00:31:53.178892402Z

Summary

Malicious code in @beyondbday/vibe-terminal (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9859c1af428f41ba7f7eb2a1db744705f5644ff2422629d94e3de1ecb59c9405)

On every launch of the vibe CLI, dist/vibe.js queries the npm registry for the latest version of @beyondbday/vibe-terminal and, if newer than the running version, executes npm install -g @beyondbday/vibe-terminal@latest in the background with no user prompt, no version pinning, and no integrity verification. This establishes a permanent, mutable code-update channel under the publisher's control: any future version pushed to npm — whether by the legitimate maintainer or by anyone who compromises the npm account — is automatically installed globally on every user's machine the next time they run the CLI. The installer loses the ability to vet new versions, pin to a known-good release, or detect a malicious upgrade. The package additionally ships a hardcoded sk-... API key for opencode.ai as the default provider, so all user prompts and tool outputs (including file contents the assistant is asked to read) are relayed to opencode.ai by default; this is documented in the README and uses the author's own key, so it is a disclosed concern rather than the primary basis for blocking. A third undocumented provider endpoint at opengateway.gitlawb.com is also preconfigured but gated behind explicit user selection.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.14"
            ],
            "modified_time": "2026-05-25T17:23:19Z",
            "sha256": "43e05b5dbe5a6dc12f8096ce549c6cc645fde2efc954201f847bb72676993221",
            "id": "IN-MAL-2026-004730",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:10.381575744Z"
        },
        {
            "versions": [
                "1.1.21"
            ],
            "modified_time": "2026-05-25T18:48:43Z",
            "sha256": "9859c1af428f41ba7f7eb2a1db744705f5644ff2422629d94e3de1ecb59c9405",
            "id": "IN-MAL-2026-004756",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:13.409617423Z"
        },
        {
            "versions": [
                "1.1.16"
            ],
            "modified_time": "2026-05-25T17:49:33Z",
            "sha256": "989da9f9a65491034597f7d51b866248bf126b77469b6efa744834c5ac45afac",
            "id": "IN-MAL-2026-004737",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:11.23684919Z"
        },
        {
            "versions": [
                "1.1.17"
            ],
            "modified_time": "2026-05-25T18:09:56Z",
            "sha256": "df0e070435f3ffe3b7e868ee4f0a1750ea23dc7c7b5e62d93161d72690ac5d47",
            "id": "IN-MAL-2026-004743",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:11.947594134Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @beyondbday/vibe-terminal

Package

Name: @beyondbday/vibe-terminal; View open source insights on deps.dev
Purl: pkg:npm/%40beyondbday%2Fvibe-terminal

Affected ranges

Affected versions

1.*

1.1.14

1.1.16

1.1.17

1.1.21

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-u7RNPEiG8cWTnpfFr8FwbRn5CC/G9cPd2lBsu7JRMjuetd+Cjsv2r4KVQbUbyjx3ksMID6+h7Pku17teL29T1Q==",
                "sha1": "f8e1872f4ba478982cec4708a41b27fc846a16f6"
            },
            "filename": "vibe-terminal-1.1.14.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "dist/vibe.js",
            "tlsh": "1644b71469b321230313a0b63d47940eb6a5904b3909dd74faccfa687fda568e1f6bdc",
            "sha256": "14cb394c9d67ccc7ece0d7c9cca76dafc3a948855777cbbffc3bc55a98bd00e1"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@beyondbday/vibe-terminal/MAL-2026-4368.json"