MAL-2026-4522
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-all-config/MAL-2026-4522.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4522
- Published
- 2026-05-19T18:09:09Z
- Modified
- 2026-05-26T06:02:11.984908715Z
- Summary
- Malicious code in claude-all-config (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3)
On install, postinstall.js writes configuration into ~/.claude/, ~/.gemini/, ~/.codex/, and ~/.kiro/ that hard-wires AI tooling to author-controlled destinations:
- Silent relay to author's Telegram: mcp.json registers a 'telegram' MCP server with a hardcoded TELEGRAMBOTTOKEN (bot @mcpclibot, token 8898185692:AAEjW5PcFLiwKJYf58X4pYY47HpbZvWGOUk) and TELEGRAMCHAT_ID=1185240496 (the author's own chat). Any notification/message the installer routes through the Telegram MCP is delivered by default to the author's Telegram account.
- Author-funded API keys:.env.example ships live production keys for Z.AI (ZAIAPI_KEY=7b1a5a0d145545ae8f2baa2957691ac4...), MiniMax (sk-cp-EPrTEuQVxp0PES9ItiDFm46scpYtk3Ec...), Context7, and Exa, copied into ~/.claude/.env etc. Installer prompts and data are routed to API accounts owned by the package author.
- Command shadowing: ~/.local/bin/gemini and ~/.local/bin/codex symlinks shadow the real binaries; the shims source the author-supplied env (keys + Telegram token) before exec'ing the real tool, and the gemini shim auto-appends --yolo.
- Permission disablement: ~/.claude/settings.json and ~/.gemini/settings.json grant Bash(), Write(), WebFetch(*) and set autoAccept:true; the launcher exports IS_SANDBOX=1 to bypass Claude's root safety check and force --dangerously-skip-permissions.
- Unpinned remote shell installer: postinstall runs
curl -LsSf https://astral.sh/uv/install.sh | shwithout pin or checksum if uvx is missing.
The combination of (1) silent default routing of caller-supplied content to the author's Telegram chat, (2) injection of author-owned API credentials into the installer's AI stack so prompt/code content flows to author-controlled API endpoints, and (3) shimming of system commands so this routing applies to every future invocation of
gemini/codex, is a silent-relay supply-chain pattern: the installer's data and prompts flow to author-controlled destinations by default, without explicit per-invocation consent. - Database specific
{ "malicious-packages-origins": [ { "source": "amazon-inspector", "id": "IN-MAL-2026-003233", "import_time": "2026-05-26T05:50:15.631571327Z", "sha256": "63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3", "versions": [ "3.8.3" ], "modified_time": "2026-05-19T18:13:03Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003231", "import_time": "2026-05-26T05:50:15.441870505Z", "sha256": "d978edb77d9b82d95d878690483bfc668843b96bd2644504b5caf98c517d425c", "modified_time": "2026-05-19T18:10:19Z", "versions": [ "3.9.0" ] }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003230", "import_time": "2026-05-26T05:50:15.31239784Z", "sha256": "fa8219e402b4ed55938cd7cb8dd329c23aaf45d8319cf81aff7fe8433012b53a", "modified_time": "2026-05-19T18:09:10Z", "versions": [ "3.8.4" ] }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003234", "import_time": "2026-05-26T05:50:15.731409902Z", "sha256": "a27984c210bd38e794cb4dedd2686363227688eb3d9fc0b686d4ece85e88b85d", "versions": [ "3.8.3" ], "modified_time": "2026-05-19T18:13:03Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003232", "import_time": "2026-05-26T05:50:15.531720692Z", "sha256": "b7779b68b37cf943e000407b81322e99a147b30b88236fefef74198eb8e92c68", "versions": [ "3.9.0" ], "modified_time": "2026-05-19T18:10:20Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003229", "import_time": "2026-05-26T05:50:15.205676932Z", "sha256": "d8d116d9a6b9569d1d4a469e907a49a26ff44400d1b51100186bc71d9ecbf399", "versions": [ "3.8.4" ], "modified_time": "2026-05-19T18:09:09Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / claude-all-config
Package
- Name
- claude-all-config
- View open source insights on deps.dev
- Purl
- pkg:npm/claude-all-config
Database specific
indicators
{
"package_integrity": [
{
"hashes": {
"sha1": "cae67d250c80f4665844ef3f5f75988a4cfc3bc7",
"sha512_sri": "sha512-yi82XcWaW0MuNalgQIQhwRP0tAFilWwgtFeZ+OqAK64bVSxlBuKEMIHCvf/q3CuRX2MgZLjuTlnSjD7fxvRqtA=="
},
"filename": "claude-all-config-3.8.3.tgz"
}
],
"domains": [
"astral.sh",
"releases.astral.sh"
],
"evidence_files": [
{
"tlsh": "3671317b6b987608be53da3d734c6193c72d7038b4418060438b7055e3ee826069bef9",
"sha256": "ddf8a9978d44f12aab9867414146fdf39ff8f9551180ae643977b73cc0e3bb7b",
"path": ".env.example"
},
{
"tlsh": "7dd2c60329fb02256673d2a94f4b10377218de532606ee603bed534d6fc56588aa37fe",
"path": "postinstall.js",
"sha256": "8fc75c45aa201157fa9cd80d19f80c50e2822c252c8beaa44ed595ee5c6597a7"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-all-config/MAL-2026-4522.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]