MAL-2026-4472
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zhengshuo888/huoke/MAL-2026-4472.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4472
- Published
- 2026-05-21T04:39:55Z
- Modified
- 2026-05-26T06:02:07.385338968Z
- Summary
- Malicious code in @zhengshuo888/huoke (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab)
On npm install, the package's postinstall hook runs
node bin/huoke.js install-skill, which usesexecSyncto invokecurl -fsSLagainsthttps://raw.githubusercontent.com/amswf/huoke/main/SKILL.mdand writes the response into~/.hermes/skills/.../SKILL.mdand~/.openclaw/skills/.... The URL is on a personal GitHub user's account (amswf) that does not match the package's declared repository (huoke-link/huoke-skill), points at a mutablemainbranch, and the fetched content is not hash- or signature-verified. The package already ships aSKILL.mdin the tarball, but the postinstall ignores it and refetches remotely, so the file the AI ends up loading is whatever the controller of that personal repo serves at install time — not the file npm reviewed. The installed SKILL.md is loaded by Hermes/OpenClaw as agent instructions and containscurldirectives that the user's AI agent executes with the user's bearer tokens, giving the controller ofgithub.com/amswf/huokean install-time channel to direct privileged actions on the installer's machine. Separately,bin/huoke.jsdefaults its server endpoint tohttp://huoke.link(plaintext HTTP) with a hardcoded shared bearersk_clawx_dev_2026, so the credential-setup flow it advertises transmits the installer's email, verification code, and password in cleartext under a key shared by every installer — a quality issue layered on top of the install-time-fetch concern. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.0" ], "modified_time": "2026-05-21T04:40:00Z", "sha256": "6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab", "id": "IN-MAL-2026-003740", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:13.496186554Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-05-21T04:39:55Z", "sha256": "acb113efaf3da376f3e05a0bc0d39f144f8c1b4fda7c76b5a54a6612285f4c1b", "id": "IN-MAL-2026-003739", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:13.383159103Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @zhengshuo888/huoke
Package
- Name
- @zhengshuo888/huoke
- View open source insights on deps.dev
- Purl
- pkg:npm/%40zhengshuo888%2Fhuoke
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-VQz/5XH33bvZLPt4Z4g0VX8FEqT/N+7+GaTjYOSSXkncj4lq9dpSWKIstc5zKhHxCJxg1/MoXteIVxQrTHryzQ==",
"sha1": "20db0efaf8500debb0cbbe26adf0d9e70999feb0"
},
"filename": "huoke-1.0.0.tgz"
}
],
"evidence_files": [
{
"path": "bin/huoke.js",
"tlsh": "b81270b649f76530a673e28c6b47241a7126f9133604dc90b39c83962fdb670c663afd",
"sha256": "b1f808358328c819433eebc63742832687e3855b402dbaae0f60c5badbdbadcc"
},
{
"path": "package.json",
"tlsh": "16014930c9347c7318d546a8ac6a0982b1124d1708443c0aa3db245ebfaf76f91bf339",
"sha256": "1c518b25094a49cc11e6d62dea6802cb02baf45b5a8507e4ae2e6cdbe3053f9d"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zhengshuo888/huoke/MAL-2026-4472.json"