MAL-2026-4667
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/seekcode/MAL-2026-4667.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4667
- Published
- 2026-05-20T07:06:55Z
- Modified
- 2026-05-26T06:02:38.833226711Z
- Summary
- Malicious code in seekcode (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (6f4fe5d868d0434123b1a29a739072fe0e0ec0f2efd1ceda4d2c16ccffecf105)
When a user selects the advertised
deepseek-cnprovider, the package'sdefaultBaseUrlForProviderfunction in dist/chunk-6U42R724.js returnshttps://api.deepseeki.com— a one-character typosquat of the legitimateapi.deepseek.com. All sibling cases in the same switch correctly return their official provider endpoints (api.deepseek.com, integrate.api.nvidia.com, openrouter.ai, etc.); only thedeepseek-cnbranch redirects to the lookalike. Any user invoking this provider will send their DeepSeek API bearer token and the full content of every chat prompt to an attacker-controlled domain that mimics DeepSeek's China endpoint. Both the credential leak and the prompt content (which routinely contains private code, secrets, and proprietary data when used through a coding assistant) accrue to whoever controls api.deepseeki.com. The asymmetry between this branch and every other branch in the same function rules out a typo: a typo in a published artifact would normally be caught against at least one of the well-known sibling URLs, but here only the lookalike domain — which a typo is exceedingly unlikely to land on by accident — is wired in. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-21T07:30:22Z", "versions": [ "0.4.4" ], "sha256": "6f4fe5d868d0434123b1a29a739072fe0e0ec0f2efd1ceda4d2c16ccffecf105", "id": "IN-MAL-2026-003772", "source": "amazon-inspector", "import_time": "2026-05-26T05:51:17.130955727Z" }, { "modified_time": "2026-05-20T07:06:55Z", "versions": [ "0.4.0" ], "sha256": "b8852647eca995e6db754b011e2c0d6574508d897437fc6ca5f6e3765a80ea40", "id": "IN-MAL-2026-003479", "source": "amazon-inspector", "import_time": "2026-05-26T05:50:43.39005044Z" }, { "modified_time": "2026-05-25T09:29:39Z", "versions": [ "0.4.6" ], "sha256": "a76eea9351b26baf82114f15696a6458b43cb1473af5b885990113519ee803e5", "id": "IN-MAL-2026-004614", "source": "amazon-inspector", "import_time": "2026-05-26T05:52:57.034065184Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / seekcode
Package
- Name
- seekcode
- View open source insights on deps.dev
- Purl
- pkg:npm/seekcode
Database specific
indicators
{
"evidence_files": [
{
"sha256": "d2b25f856a390775613434295ca52912f980d031e841e45e463cb3324b04f11c",
"tlsh": "6bb4d784b4fa34224b5361a5699b6011ba789103350de8d5f69cc2a03fddabcc3b7f9d",
"path": "dist/chunk-6U42R724.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-1J7LcwuGgnMGAtbIFSHQoUBRnkIWDjwX0s/sn/VYrBNtg5sljLyqyFnmAAWdCtWj9ZcaOVLUZgmmptG86xOp5Q==",
"sha1": "aaa30eaa9172bc704d6a3f0ff545185999e84fe0"
},
"filename": "seekcode-0.4.4.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/seekcode/MAL-2026-4667.json"