MAL-2026-4625
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oh-langfuse/MAL-2026-4625.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4625
- Published
- 2026-05-21T08:17:27Z
- Modified
- 2026-06-12T20:01:55.539115526Z
- Summary
- Malicious code in oh-langfuse (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037)
The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding
--langfuseBaseUrl, the setup writesLANGFUSE_BASEURL=http://120.46.221.227:3000together with hardcoded public and secret Langfuse keys into~/.claude/settings.json,~/.codex/config.toml, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcodeDEFAULT_LANGFUSE_BASE_URL = "http://120.46.221.227:3000",DEFAULT_LANGFUSE_PUBLIC_KEY = "pk-lf-da0c90a7-...", andDEFAULT_LANGFUSE_SECRET_KEY = "sk-lf-0269b85d-..."; scripts/langfuse-setup.mjs and scripts/opencode-langfuse-run.mjs reuse the same secret-key default). The installed Python hooks then ship every Claude/Codex turn — user prompts, assistant responses, tool inputs, and tool outputs (which routinely include file contents and any secrets observed in tool calls) — to that bare IPv4 endpoint. The destination is the publisher's own Langfuse instance, presented to the operator only as a numeric IP with no publisher-domain branding, served over cleartext HTTP, and pre-authenticated with credentials baked into the package. An additional fallback path in scripts/langfuse-setup.mjs downloads a hooks zip fromhttps://gitcode.com/user-attachments/files/8187690/7a797a5314b9497cae7b055aa51be646.zipvia PowerShell Invoke-WebRequest and installs it as the Claude Code Stop hook when both--pyPathis absent and the bundledlangfuse_hook.pyis missing — normally bypassed, but a brittle path to third-party-hosted code that Claude Code will execute. The trigger is the operator running the CLI with defaults (or--yes), notnpm install; however, the documented invocation pattern of this package is to run that CLI, and the default behavior silently relays caller-supplied agent data (containing the operator's own code and secrets) to a publisher-controlled destination. - Database specific
{ "malicious-packages-origins": [ { "source": "amazon-inspector", "versions": [ "0.1.22" ], "sha256": "b94251e0353c83033676a5e7b3a5c2b039b3e79914adda00d48aea70750a25bf", "modified_time": "2026-05-21T08:17:36Z", "id": "IN-MAL-2026-003779", "import_time": "2026-05-26T05:51:17.894266246Z" }, { "source": "amazon-inspector", "versions": [ "0.1.21" ], "sha256": "d9c25790370e3598801d59f56a8b4b42b16922c718176c30185c649bdc34f9e5", "modified_time": "2026-05-21T08:17:27Z", "id": "IN-MAL-2026-003778", "import_time": "2026-05-26T05:51:17.797617995Z" }, { "id": "IN-MAL-2026-005994", "import_time": "2026-06-12T19:43:56.115185524Z", "versions": [ "0.1.28" ], "modified_time": "2026-06-12T19:06:52Z", "source": "amazon-inspector", "sha256": "e1e95aab765fc3da4a5700e41ccdb26654ac4fc40e037966c019712d4c2ff55a" }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:57.165040541Z", "sha256": "23c57256befdad12e934704b856b3dd9cfd8343482c675f709642ed98eb4c4c7", "modified_time": "2026-06-12T19:07:07Z", "id": "IN-MAL-2026-006003", "versions": [ "0.1.48" ] }, { "sha256": "31e2892b19b71acdeb7c83110e7477977b77fcf79e1aa431a89af1a30e5e343e", "import_time": "2026-06-12T19:43:57.852421122Z", "id": "IN-MAL-2026-006009", "modified_time": "2026-06-12T19:07:17Z", "versions": [ "0.1.56" ], "source": "amazon-inspector" }, { "source": "amazon-inspector", "versions": [ "0.1.31" ], "sha256": "6a75a00e851680ba5b54d5cb046f72296a04024d5cddcad78e2a8a55c0bd3e8f", "modified_time": "2026-06-12T19:06:55Z", "id": "IN-MAL-2026-005996", "import_time": "2026-06-12T19:43:56.353706034Z" }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:57.400106664Z", "sha256": "f6564dc8542644b56f90cdc08f94213a034ea320a029b5e6316561f2837f44f3", "modified_time": "2026-06-12T19:07:10Z", "id": "IN-MAL-2026-006005", "versions": [ "0.1.50" ] }, { "id": "IN-MAL-2026-006002", "import_time": "2026-06-12T19:43:57.05642435Z", "versions": [ "0.1.46" ], "modified_time": "2026-06-12T19:07:05Z", "source": "amazon-inspector", "sha256": "f28aebdb8470dfaf939d09cb8e1809eeaae0cba02dabad1d4d93646376a113fd" }, { "sha256": "50ba28313c30557acc00a643b1ab490ab5d513df47c5278cfed0836e13b0b438", "import_time": "2026-06-12T19:43:57.758149101Z", "id": "IN-MAL-2026-006008", "modified_time": "2026-06-12T19:07:15Z", "versions": [ "0.1.53" ], "source": "amazon-inspector" }, { "id": "IN-MAL-2026-005999", "import_time": "2026-06-12T19:43:56.763512539Z", "versions": [ "0.1.43" ], "modified_time": "2026-06-12T19:07:00Z", "source": "amazon-inspector", "sha256": "593939706990f776735dc778bc1e6e41a44a6bd7166e50a23376b1c48bac3042" }, { "source": "amazon-inspector", "versions": [ "0.1.44" ], "sha256": "83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037", "modified_time": "2026-06-12T19:07:02Z", "import_time": "2026-06-12T19:43:56.8587184Z", "id": "IN-MAL-2026-006000" }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:56.525541675Z", "sha256": "98ab175d2e12969d09ba6f27b976441a4d9c9eec25f040410b2dc006e6ef3926", "modified_time": "2026-06-12T19:06:57Z", "id": "IN-MAL-2026-005997", "versions": [ "0.1.38" ] }, { "source": "amazon-inspector", "versions": [ "0.1.42" ], "sha256": "602efd12592d5ec573f59c258af9fced8bf94f110a4c6373b20230a2d5312eb7", "modified_time": "2026-06-12T19:06:58Z", "import_time": "2026-06-12T19:43:56.650964581Z", "id": "IN-MAL-2026-005998" }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:56.953095436Z", "sha256": "ca39f00882f0c0cebcff7b48ad2b87f56dba9ca4e2a7d0b764608d46c0c24011", "modified_time": "2026-06-12T19:07:03Z", "id": "IN-MAL-2026-006001", "versions": [ "0.1.45" ] }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:57.307608239Z", "sha256": "f6e518f1ae5305739066dbc9e1a15ed6fbde1b8785e8b92ef47fb355cff8f644", "modified_time": "2026-06-12T19:07:08Z", "id": "IN-MAL-2026-006004", "versions": [ "0.1.49" ] }, { "id": "IN-MAL-2026-005995", "import_time": "2026-06-12T19:43:56.263596467Z", "versions": [ "0.1.29" ], "modified_time": "2026-06-12T19:06:53Z", "source": "amazon-inspector", "sha256": "579e2a88c2e4776b660ff1f9c768ad449bc09cdcdf78d1c886937c90518cc69f" }, { "source": "amazon-inspector", "import_time": "2026-06-12T19:43:57.546346512Z", "sha256": "b4e45a61284456d4c47754053415e5116356606f2814099edf7a57d8bb54bb7f", "modified_time": "2026-06-12T19:07:12Z", "id": "IN-MAL-2026-006006", "versions": [ "0.1.51" ] }, { "sha256": "de5663460e2dc8b2d9e0e54606b7fe18b4b04307dfe33e66c6f745a9fb7fde9e", "import_time": "2026-06-12T19:43:57.662117988Z", "id": "IN-MAL-2026-006007", "modified_time": "2026-06-12T19:07:13Z", "versions": [ "0.1.52" ], "source": "amazon-inspector" } ] }- References
-
- https://www.npmjs.com/package/oh-langfuse/v/0.1.22
- https://www.npmjs.com/package/oh-langfuse/v/0.1.21
- https://www.npmjs.com/package/oh-langfuse/v/0.1.28
- https://www.npmjs.com/package/oh-langfuse/v/0.1.48
- https://www.npmjs.com/package/oh-langfuse/v/0.1.56
- https://www.npmjs.com/package/oh-langfuse/v/0.1.31
- https://www.npmjs.com/package/oh-langfuse/v/0.1.50
- https://www.npmjs.com/package/oh-langfuse/v/0.1.46
- https://www.npmjs.com/package/oh-langfuse/v/0.1.53
- https://www.npmjs.com/package/oh-langfuse/v/0.1.43
- https://www.npmjs.com/package/oh-langfuse/v/0.1.44
- https://www.npmjs.com/package/oh-langfuse/v/0.1.38
- https://www.npmjs.com/package/oh-langfuse/v/0.1.42
- https://www.npmjs.com/package/oh-langfuse/v/0.1.45
- https://www.npmjs.com/package/oh-langfuse/v/0.1.49
- https://www.npmjs.com/package/oh-langfuse/v/0.1.29
- https://www.npmjs.com/package/oh-langfuse/v/0.1.51
- https://www.npmjs.com/package/oh-langfuse/v/0.1.52
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / oh-langfuse
Package
- Name
- oh-langfuse
- View open source insights on deps.dev
- Purl
- pkg:npm/oh-langfuse
Affected versions
0.*
0.1.21
0.1.22
0.1.28
0.1.29
0.1.31
0.1.38
0.1.42
0.1.43
0.1.44
0.1.45
0.1.46
0.1.48
0.1.49
0.1.50
0.1.51
0.1.52
0.1.53
0.1.56
Database specific
indicators
{
"package_integrity": [
{
"filename": "oh-langfuse-0.1.22.tgz",
"hashes": {
"sha512_sri": "sha512-QjRlw9YkPteocg4hgxkNxa/V2U6ShfVt+FOuzz0t6nlkIXAC7huxhdA5ArC5lItrnYj50sWusaOZU6JZP2BlHg==",
"sha1": "87e661fa5b2020b192bfc5bea9c3fcb11d242762"
}
}
],
"evidence_files": [
{
"sha256": "13d1140fde10c1b13d61c7552a2a7339896909a8ecc681f84416753bd3805a67",
"tlsh": "48e2a44958da792107b325a89a530439fa3e47131409d546fabf43e86fb9938c2f3b7c",
"path": "bin/cli.js"
},
{
"sha256": "5343623983dc704028b93b54913a3c6f2eb3ff8d6e5545a1159f58fd4c255a1f",
"tlsh": "e922194784ba86640bb263b4238f8425f2e512173741eaa4b7bc94e52f7413cc677eec",
"path": "scripts/langfuse-setup.mjs"
},
{
"sha256": "daf344ce7d7507763091e409942b06eb681b3ebd86e2314ca35689472b0f58d5",
"tlsh": "bfa2c503946a09220db257215a0b447ef9fd37132241e995bbbd86dd1ff8928c1a3efd",
"path": "scripts/opencode-langfuse-setup.mjs"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oh-langfuse/MAL-2026-4625.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]