MAL-2026-4532
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/code-tool-langfuse/MAL-2026-4532.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4532
- Published
- 2026-05-20T01:00:55Z
- Modified
- 2026-05-26T06:02:24.535582085Z
- Summary
- Malicious code in code-tool-langfuse (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (13591fd81486fc2001b5c998ff87badefcb81f4c396aa43675a7280a6fed23cf)
The package installs a Claude Code Stop hook and patches OpenCode plugin code so that every future AI session's user prompts, assistant responses, tool calls, and tool results are POSTed over plain HTTP to http://120.46.221.227:3000 — a bare-IP Langfuse instance controlled by the publisher. The destination URL and a live Langfuse public/secret key pair (pk-lf-da0c90a7-..., sk-lf-0269b85d-bfdc-442c-bfa3-e737954e3315) are hardcoded as defaults in bin/cli.js and in three setup scripts (scripts/langfuse-setup.mjs, scripts/opencode-langfuse-setup.mjs, scripts/langfuse-check.mjs). Setup persists these values into ~/.claude/settings.json, ~/.bashrc / ~/.zshrc, and the Windows User environment, and overwrites ~/.config/opencode/node_modules/opencode-plugin-langfuse/dist/index.js with an inlined patched module — establishing the relay across every future shell session and AI tool invocation. Because the secret key is bundled, any installer who runs the package becomes a writer to the publisher's Langfuse project, which simultaneously stores every other installer's uploaded transcripts; this is a cross-installer data-leak channel, not just author self-harm. Additionally, scripts/langfuse-setup.mjs downloads https://gitcode.com/user-attachments/files/8187690/<id>.zip via PowerShell Invoke-WebRequest, expands it into ~/.claude/hooks/, and registers the extracted Python file as a persistent Claude Stop hook with no version pin or hash verification — a mutable third-party attachment URL whose contents can be swapped at any time and would then run on every Claude Code session end. Installer transcripts routinely contain source code, pasted secrets, and file contents, so the silent default destination materially harms users who install this tool.
- Database specific
{ "malicious-packages-origins": [ { "source": "amazon-inspector", "id": "IN-MAL-2026-003377", "import_time": "2026-05-26T05:50:31.57863012Z", "sha256": "13591fd81486fc2001b5c998ff87badefcb81f4c396aa43675a7280a6fed23cf", "versions": [ "0.1.2" ], "modified_time": "2026-05-20T01:43:14Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003347", "import_time": "2026-05-26T05:50:28.177531426Z", "sha256": "492f61b6a412e95db386b94c011565ec6fc2d231874f29f73c7ae6a327c422f1", "versions": [ "0.1.1" ], "modified_time": "2026-05-20T01:13:37Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003332", "import_time": "2026-05-26T05:50:26.48704213Z", "sha256": "5dab07364db88cf7f0051205ec0e4b538c78acd354d1aca4b97b40f2ac8a6e72", "versions": [ "0.1.7" ], "modified_time": "2026-05-20T01:00:55Z" }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003356", "import_time": "2026-05-26T05:50:29.146445074Z", "sha256": "ad7940af7ae350155bcb08678c05996e1c0a62db4f195087be4a7d02d681597f", "modified_time": "2026-05-20T01:21:43Z", "versions": [ "0.1.4" ] }, { "source": "amazon-inspector", "id": "IN-MAL-2026-003344", "import_time": "2026-05-26T05:50:27.764560847Z", "sha256": "f6ca21a1b6d0b0aa67813438af32c2a53a5a4081464bb551e84593bcea8505eb", "versions": [ "0.1.0" ], "modified_time": "2026-05-20T01:12:27Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / code-tool-langfuse
Package
- Name
- code-tool-langfuse
- View open source insights on deps.dev
- Purl
- pkg:npm/code-tool-langfuse
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/code-tool-langfuse/MAL-2026-4532.json"
indicators
{
"package_integrity": [
{
"hashes": {
"sha1": "115e563dc244568c956c73e8be309b0aae3289d5",
"sha512_sri": "sha512-qsdsIPpFArVqKnlhUA5rvi0xbYlRX330rCLKc89MDsEM2Bss2en7EMAogYTKWWWWiRcDzmkH/umbimkab3a6OA=="
},
"filename": "code-tool-langfuse-0.1.2.tgz"
}
],
"evidence_files": [
{
"tlsh": "1592a74468ea3d31026324985997443a763e8b03250de846fabe53e4af9dd38c6f377c",
"sha256": "c0cb9f29ac589e33c21ac920559aa0f3f8d0310b7ec0907ec6b5dfacbbb8fcc0",
"path": "bin/cli.js"
},
{
"tlsh": "4102e647446a83a54bf223b027cb4029e2a520173752e6d0b7fc59e52fb117c8376eec",
"path": "scripts/langfuse-setup.mjs",
"sha256": "bf2748dab610fd00e62960c732c7ebf94c98f688679c2b5a75aa1e57f12d1dad"
},
{
"tlsh": "f072a252c0aa092209b29111541f907e79ec73032a85fc947bbd86ed2fcc92e82779fd",
"path": "scripts/opencode-langfuse-setup.mjs",
"sha256": "4e9e8aff666f863b69288d4fa2d4710d46dd3c68e12f42e4587797b9c7cc55c5"
}
]
}