MAL-2026-4397
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jemavidev/betteragents-pi/MAL-2026-4397.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4397
- Withdrawn
- 2026-05-26T21:28:12Z
- Published
- 2026-05-20T22:11:01Z
- Modified
- 2026-05-27T00:31:56.200396281Z
- Summary
- Malicious code in @jemavidev/betteragents-pi (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd)
The package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical
sk-or-v1-prefix fromopenrouter.io/settings/keys. However, the legitimate OpenRouter service isopenrouter.ai—openrouter.iois a different-TLD lookalike.dist/src/provider.jsline 8 hardcodesthis.baseURL = 'https://openrouter.io/api/v1', and every registered tool (baanalyze, bagenerate, basecure, batest, badocument, badesign, baclean, bainfra) forwards user-supplied code and prompts along with theOPENROUTER_API_KEYbearer token to that domain. README.md and.env.example reinforce the steering by directing users to register accounts and obtain keys atopenrouter.io. The combined effect is that any caller of these tools silently relays their source code, prompts, and a bearer token (which they likely believe is for the real OpenRouter) to a domain controlled by a different operator. Whether the destination is an outright phishing/credential-capture site or a different service intentionally trading on OpenRouter's branding, the installer-facing harm is the same: caller-supplied data and credentials are siphoned to a non-canonical destination under a misleading identity. - Database specific
{ "malicious-packages-origins": [ { "sha256": "09772ac9ab4ea0150a0879fef2d531602a4a6a24fa851c8b96d9c6d2d1334751", "modified_time": "2026-05-20T22:24:29Z", "id": "IN-MAL-2026-003640", "import_time": "2026-05-26T05:51:01.124205051Z", "versions": [ "0.1.3" ], "source": "amazon-inspector" }, { "sha256": "310b85c2feab0f5c9bf260a968751dcdc4bcf45143112e010c2b8a8df49ba513", "modified_time": "2026-05-20T22:11:01Z", "id": "IN-MAL-2026-003624", "import_time": "2026-05-26T05:50:59.343939936Z", "versions": [ "0.1.1" ], "source": "amazon-inspector" }, { "sha256": "651f2bb2588a8db77facaca911d4be6e18498b14276989e48411d11bbeab699c", "modified_time": "2026-05-20T22:14:26Z", "id": "IN-MAL-2026-003627", "versions": [ "0.1.7" ], "import_time": "2026-05-26T05:50:59.684594988Z", "source": "amazon-inspector" }, { "sha256": "e49f48ca508619fc80ae4cddcb3a72600845a6a11fc7cf4cec81c539387e8f7a", "modified_time": "2026-05-20T22:11:01Z", "id": "IN-MAL-2026-003625", "import_time": "2026-05-26T05:50:59.460242034Z", "versions": [ "0.1.1" ], "source": "amazon-inspector" }, { "sha256": "43eb704df1102fa889608d3777d3495e6ad9b3a0833fdd85cdd76a3f2f09f240", "modified_time": "2026-05-20T22:14:27Z", "id": "IN-MAL-2026-003628", "import_time": "2026-05-26T05:50:59.80543615Z", "versions": [ "0.1.7" ], "source": "amazon-inspector" }, { "sha256": "4d11450bca14285c70bf66d118678914d4e58e32bca62c944cd2bdbf132354a3", "modified_time": "2026-05-20T22:16:03Z", "id": "IN-MAL-2026-003630", "versions": [ "0.1.5" ], "import_time": "2026-05-26T05:51:00.036101999Z", "source": "amazon-inspector" }, { "sha256": "df31f13595a6344d2a462598d0c6c13e6b11162c346fe955f12ea3edb3633e10", "modified_time": "2026-05-20T22:20:52Z", "id": "IN-MAL-2026-003638", "import_time": "2026-05-26T05:51:00.913825165Z", "versions": [ "0.1.4" ], "source": "amazon-inspector" }, { "sha256": "171e5407f66fff1e2fbd5c6414a41478aff532587dfa429e2ce1768721cd8d78", "modified_time": "2026-05-20T22:16:38Z", "id": "IN-MAL-2026-003632", "versions": [ "0.1.9" ], "import_time": "2026-05-26T05:51:00.263003176Z", "source": "amazon-inspector" }, { "sha256": "3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd", "modified_time": "2026-05-20T22:18:50Z", "id": "IN-MAL-2026-003635", "versions": [ "0.1.11" ], "import_time": "2026-05-26T05:51:00.601790963Z", "source": "amazon-inspector" }, { "sha256": "67bfa397f94dad51f863aa7902c68f92082672f886d3f146b0aa1145c4d5b335", "modified_time": "2026-05-20T22:24:41Z", "id": "IN-MAL-2026-003642", "import_time": "2026-05-26T05:51:01.412015973Z", "versions": [ "0.1.10" ], "source": "amazon-inspector" }, { "sha256": "734b55875c40efc6c5a72151d52bd43dce245bd54ff3c13b27040fb8f0102edb", "modified_time": "2026-05-20T22:18:50Z", "id": "IN-MAL-2026-003636", "versions": [ "0.1.11" ], "import_time": "2026-05-26T05:51:00.709299923Z", "source": "amazon-inspector" }, { "sha256": "c79831fcb2d77976b35d6476f95a5f062e650879ecd8900d876f4679b988ab12", "modified_time": "2026-05-20T22:24:29Z", "id": "IN-MAL-2026-003641", "versions": [ "0.1.3" ], "import_time": "2026-05-26T05:51:01.272446853Z", "source": "amazon-inspector" }, { "sha256": "caefee5d128f50ad4df4612cfbcdc32cc9b18110607045ba50a280b24005b028", "modified_time": "2026-05-20T22:16:37Z", "id": "IN-MAL-2026-003631", "versions": [ "0.1.9" ], "import_time": "2026-05-26T05:51:00.14835261Z", "source": "amazon-inspector" }, { "sha256": "76f9a15d5658ba119fe00639c9c7acffbd3985843e010d812d35eeeeb6d7276d", "modified_time": "2026-05-20T22:24:42Z", "id": "IN-MAL-2026-003643", "versions": [ "0.1.10" ], "import_time": "2026-05-26T05:51:01.553198341Z", "source": "amazon-inspector" }, { "sha256": "7fc384a5c6f40ab626f658cf7c0e27a7ae5acd35e9d98ba40196296d79c50f31", "modified_time": "2026-05-20T22:20:52Z", "id": "IN-MAL-2026-003637", "import_time": "2026-05-26T05:51:00.806061432Z", "versions": [ "0.1.4" ], "source": "amazon-inspector" }, { "sha256": "ac4e571f592eea498408cd93b5a9e68a18e898a4ddd2eea4904f66134d574835", "modified_time": "2026-05-20T22:16:02Z", "id": "IN-MAL-2026-003629", "import_time": "2026-05-26T05:50:59.921821067Z", "versions": [ "0.1.5" ], "source": "amazon-inspector" } ] }- References
-
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.3
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.1
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.7
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.11
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.10
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.9
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.4
- https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.5
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @jemavidev/betteragents-pi
Package
- Name
- @jemavidev/betteragents-pi
- View open source insights on deps.dev
- Purl
- pkg:npm/%40jemavidev%2Fbetteragents-pi
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jemavidev/betteragents-pi/MAL-2026-4397.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha1": "38ebfeaa1f0599badc3baf6fdde61a71e24ab157",
"sha512_sri": "sha512-Db4LX84KA6x+e+qc5cy0SFC2RoX4DVGuI0yHY4Zgvnc+HDDCzqGbMRoSFtRiOOGdgDWkuhrJ3OFdvNR19at3jQ=="
},
"filename": "betteragents-pi-0.1.3.tgz"
}
],
"domains": [
"34.0.16.104.in-addr.arpa",
"34.1.16.104.in-addr.arpa"
],
"evidence_files": [
{
"path": "dist/src/provider.js",
"sha256": "2d9f3941d3063eb24dbdbf6076a76eced64427ade40a8e3f3f3833540c597be8",
"tlsh": "d7610daa18b32915861752b6ffdf31156029f40b2d4cbcbcb74c46c44f9a0188bb6fa8"
},
{
"sha256": "528959ca22451cc73a6013c4127fd83e6139063dc14b34af5071bfa3184ecdce",
"path": "GETTING_STARTED.md",
"tlsh": "7a321a3f409431ba1a37867eb11bf597eb63d0962584993970dc8208bf6d75ec26f28c"
}
]
}