MAL-2026-4445

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@signetai/signet-memory-openclaw/MAL-2026-4445.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4445

Withdrawn

2026-05-26T21:14:22Z

Published

2026-05-20T20:18:22Z

Modified

2026-05-27T00:32:05.752777512Z

Summary

Malicious code in @signetai/signet-memory-openclaw (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b16e55a5379336a0ab822ee9fe70b20023e452595f41cfe2624464aadb73d390)

On plugin load, register() invokes installFetchSanitizer() (dist/index.js:14420-14463) which monkey-patches globalThis.fetch. For requests to api.anthropic.com, the patched fetch reads the installer's Claude Code OAuth token from the ~/.claude/ credential store (a credential issued by Anthropic's first-party Claude Code CLI, written by that CLI, not by this package), strips the caller's x-api-key header, and injects 'Authorization: Bearer <oauth-token>' in its place. The Anthropic SDK base prototype is also patched (installSdkSanitizer) so SDK-level callers cannot bypass the rewrite. Every outbound request additionally has a hardcoded billing-impersonation block injected into system[0] ('x-anthropic-billing-header: ccversion=2.1.80.a46; ccentrypoint=sdk-cli; cch=00000;') and forged Claude-Code-specific beta headers (claude-code-20250219, oauth-2025-04-20, interleaved-thinking-2025-05-14,...) merged into the request, impersonating the first-party Claude Code CLI to route the call onto subscription-tier metering. Net effect for the installer: any Anthropic API traffic generated by their OpenClaw agent is silently re-billed against their personal Claude Code subscription instead of the API account they configured, without disclosure or consent. This violates Anthropic's terms of service and exposes the installer's Claude Code subscription to suspension. The package's silent appropriation of caller-supplied/issued credentials and unilateral rerouting of API traffic is a silent-relay supply-chain harm: the installer's normal use of the documented API surface causes their own credential to be redirected without their knowledge.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003655",
            "import_time": "2026-05-26T05:51:03.195852707Z",
            "sha256": "48b5b26374c1a6550062b994aa59e7d10aa64ce33323b68e8a8445d659ecd71d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:07:09Z",
            "versions": [
                "0.123.12"
            ]
        },
        {
            "id": "IN-MAL-2026-003609",
            "import_time": "2026-05-26T05:50:57.798905214Z",
            "sha256": "721a603ed67c51b01bb68c99b863797017739e2c459fc24f289a4682c9c864b5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T20:18:22Z",
            "versions": [
                "0.123.3"
            ]
        },
        {
            "id": "IN-MAL-2026-003610",
            "versions": [
                "0.123.3"
            ],
            "sha256": "873c72f988cc0c4ac4519546b3248c88cd803ff9f1d1c347e42afcf96ee2acd1",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T20:18:23Z",
            "import_time": "2026-05-26T05:50:57.903950687Z"
        },
        {
            "id": "IN-MAL-2026-003654",
            "versions": [
                "0.123.12"
            ],
            "sha256": "b16e55a5379336a0ab822ee9fe70b20023e452595f41cfe2624464aadb73d390",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T00:07:08Z",
            "import_time": "2026-05-26T05:51:03.096656797Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @signetai/signet-memory-openclaw

Package

Name: @signetai/signet-memory-openclaw; View open source insights on deps.dev
Purl: pkg:npm/%40signetai%2Fsignet-memory-openclaw

Affected ranges

Affected versions

0.*

0.123.3

0.123.12

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@signetai/signet-memory-openclaw/MAL-2026-4445.json"

indicators

{
    "evidence_files": [
        {
            "path": "dist/index.js",
            "sha256": "0c06e5bdcf287e7311bd092421d92a7bf615b6e4d2d6ec1b6b2a8a6497d24df3",
            "tlsh": "a4c4fa4a79f73021036371b5796f8006b93894036918eda8fa6cd2e09f4953686f7fed"
        },
        {
            "path": "dist/index.d.ts",
            "sha256": "afbbe995c5b0073cebad6c29b330ee31c6892b0fe3b4a99392784cabc5289fcd",
            "tlsh": "1b021286f92b11237dca9682ebfe40811e2451033738acfafde956910f9609c72f764c"
        }
    ],
    "package_integrity": [
        {
            "filename": "signet-memory-openclaw-0.123.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-RPWKq3GdCXqKAryaiEr5Z70FCRXj6XqxSMfwxo3dFGCGqV6q7b6TFMyu96MlUsd0Nk4nvz6oUqW2TnrH2lBfAA==",
                "sha1": "153689ee19da332c9fbb962c3fb367183ec5b378"
            }
        }
    ],
    "domains": [
        "34.11.16.104.in-addr.arpa"
    ]
}