MAL-2026-4434

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@semacode/cli/MAL-2026-4434.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4434

Withdrawn

2026-05-26T18:24:46Z

Published

2026-05-20T08:31:36Z

Modified

2026-05-27T00:31:58.063825954Z

Summary

Malicious code in @semacode/cli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (28a3662b8e26593b7bfec35d4d4f02595144885ee738891c4c9e6a89f9e50fbb)

The bundled CLI (dist/index.js) contains a hardcoded outbound POST to https://sema.otimitare.online combined with reads of process.env and process.platform in the same module. The destination domain does not match any documented publisher infrastructure for a CLI tool and the call site issues an HTTP POST carrying environment- and platform-derived data. This pattern — hardcoded non-publisher C2 + env/platform reads + POST in a tool's main bundled entry — is the exfiltration shape and not consistent with normal telemetry from a reputable vendor (no opt-out, undocumented destination, suspicious lookalike-style hostname under a generic.online TLD).

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.5.28"
            ],
            "modified_time": "2026-05-20T08:31:36Z",
            "sha256": "28a3662b8e26593b7bfec35d4d4f02595144885ee738891c4c9e6a89f9e50fbb",
            "id": "IN-MAL-2026-003501",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:44.704163199Z"
        }
    ]
}

References

https://www.npmjs.com/package/@semacode/cli/v/1.5.28

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @semacode/cli

Package

Name: @semacode/cli; View open source insights on deps.dev
Purl: pkg:npm/%40semacode%2Fcli

Affected ranges

Affected versions

1.*

1.5.28

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "cli-1.5.28.tgz",
            "hashes": {
                "sha512_sri": "sha512-Afdnku795+xMei6kdxLNH1aVX5XSKzngLHjzKVbjJc3k6u/GZSzNGdZOJJSd6gS2KdCjzhgaTda7mPm2wAz9IQ==",
                "sha1": "7ddbe9b44e014ac9cdaf01b67b64a5059eae0e6a"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "tlsh": "fb54d75a59f705121e7722a86a8b4013b9385e432d0ced4abb5d83d01fcd96d92f3bec",
            "sha256": "c65ca3fbab007b8e6861743a487d64ba6e322544a5e7474dc3089f8a2f832fac"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@semacode/cli/MAL-2026-4434.json"