MAL-2026-4403
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@link-assistant/hive-mind/MAL-2026-4403.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4403
- Withdrawn
- 2026-05-26T21:41:23Z
- Published
- 2026-05-20T20:09:58Z
- Modified
- 2026-05-27T00:31:59.549989623Z
- Summary
- Malicious code in @link-assistant/hive-mind (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (7dfeaad3a9eda8f440dabe165d4ff6ba593c9858b9752d9bded19b05b292072a)
The package fetches https://unpkg.com/use-m/use.js — an unpinned URL that resolves to the latest published version of the third-party
use-mpackage — and passes the response body directly toeval()to bootstrap a runtime module loader. The pattern appears at the top level of src/lib.mjs (lines 34-36:globalThis.use = (await eval(await (await fetch('https://unpkg.com/use-m/use.js')).text())).use), so it fires on import of that module by any consumer or bin script. The same pattern is repeated in src/hive.mjs (lines 48-53) and across roughly thirty other files in the package. There is no version pin, no SRI hash, and no integrity verification. Any compromise of theuse-mnpm package, or of the unpkg response path, results in arbitrary attacker-controlled JavaScript executing in the context of every consumer that runs or imports this package — including, when the user passes--auto-cleanup, asudo rm -rf /tmp/* /var/tmp/*shell call that broadens the blast radius. The staticfetch/POST/process.envco-occurrences in config.lib.mjs, github.lib.mjs, hive.mjs, limits.lib.mjs, opencode.lib.mjs, playwright-mcp.lib.mjs, and youtrack/youtrack.lib.mjs are calls to documented vendor APIs (api.openai.com, api.anthropic.com, api.github.com, opencode.ai, youtrack.cloud) consistent with the package's stated AI-orchestration purpose and are not themselves the block basis. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-003618", "versions": [ "1.72.3" ], "sha256": "12e8cdb373e71695e4e6c772d1e578c5a74629620556e178d26f01f51550ea2d", "source": "amazon-inspector", "modified_time": "2026-05-20T21:44:41Z", "import_time": "2026-05-26T05:50:58.758128257Z" }, { "id": "IN-MAL-2026-003842", "versions": [ "1.72.5" ], "sha256": "3b232e042b208f0b97d6a628564d09393a32bcaef72e98f8e14577200cbd7acd", "source": "amazon-inspector", "modified_time": "2026-05-21T14:00:12Z", "import_time": "2026-05-26T05:51:25.678163458Z" }, { "id": "IN-MAL-2026-003608", "import_time": "2026-05-26T05:50:57.666860441Z", "sha256": "7dfeaad3a9eda8f440dabe165d4ff6ba593c9858b9752d9bded19b05b292072a", "source": "amazon-inspector", "modified_time": "2026-05-20T20:09:58Z", "versions": [ "1.69.17" ] }, { "id": "IN-MAL-2026-004238", "import_time": "2026-05-26T05:52:12.844989918Z", "sha256": "9f8fc0b69fbde13b464210c9e878b186c2ff6925216a6fbe32b696a8dc4ba6ef", "source": "amazon-inspector", "modified_time": "2026-05-22T18:30:32Z", "versions": [ "1.72.6" ] }, { "id": "IN-MAL-2026-003619", "versions": [ "1.72.1" ], "sha256": "ebdea8c9c57a1f52fa0104ecee2863d658fcdabd1d349cd98a0ac6e848a8ceb9", "source": "amazon-inspector", "modified_time": "2026-05-20T21:51:15Z", "import_time": "2026-05-26T05:50:58.857959437Z" }, { "id": "IN-MAL-2026-003815", "import_time": "2026-05-26T05:51:22.399936578Z", "sha256": "3a42678dfe5e822598d5b90ab5ea844cb32d71559fdbd5e3a31417701f7adb1f", "source": "amazon-inspector", "modified_time": "2026-05-21T12:55:38Z", "versions": [ "1.72.4" ] } ] }- References
-
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.72.3
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.72.5
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.69.17
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.72.6
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.72.1
- https://www.npmjs.com/package/@link-assistant/hive-mind/v/1.72.4
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @link-assistant/hive-mind
Package
- Name
- @link-assistant/hive-mind
- View open source insights on deps.dev
- Purl
- pkg:npm/%40link-assistant%2Fhive-mind
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "src/config.lib.mjs",
"sha256": "12cb17321bb398049d9b34fca141a669b9d20ac36fe8423fb79275584493dd17",
"tlsh": "88f2d61b3861323207d71ac57f4f6806977aca68a706f4d8a85f56883f8e0249177fdb"
}
],
"package_integrity": [
{
"filename": "hive-mind-1.72.3.tgz",
"hashes": {
"sha512_sri": "sha512-3op1yZWH6gA4GXB2o1TZKsvX6xJRf+IKqNSg4YNopdHGt7SOlXAFosEj8qy1EAPwV8HRRJSnuwohxVtJwQjPBQ==",
"sha1": "b54fc0c512619498cab297a6adf41c241a1a2e68"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@link-assistant/hive-mind/MAL-2026-4403.json"