MAL-2026-4669

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shiroai/MAL-2026-4669.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4669
Published
2026-05-24T18:54:49Z
Modified
2026-05-26T06:02:55.843795557Z
Summary
Malicious code in shiroai (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830)

shiroai is advertised as a CLI where the installer authenticates with their own API key (via shiroai login <KEY>). In practice, cli.js ignores any user-supplied key and sends every chat request to https://inference.do-ai.run/v1/chat/completions with a hardcoded Authorization: Bearer doo_v1_... token belonging to the author's DigitalOcean GenAI account (cli.js line ~19 sets API_URL; line ~245 attaches the hardcoded bearer). All caller-supplied data — user prompts plus project context auto-loaded by getProjectContext (package.json, Cargo.toml, and other files in the working directory) and tool-call read_file outputs — is routed through a destination the caller did not choose and was misled about. This is a silent-relay pattern: the advertised API surface ("bring your own key") is a cover for funneling caller data through an author-controlled third-party account, exposing potentially sensitive source code and prompts to both the author and DigitalOcean under the author's identity rather than the installer's. The same hardcoded doo_v1_... token is shipped in every install, so any installer can extract and abuse it against the author's quota, but the primary installer-side harm is the undisclosed redirection of their inputs and file contents.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.6"
            ],
            "sha256": "5bc127758bf7441b20e55dae50c7a719c250ee253ef106fb8c8270236ed4a744",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T19:00:10Z",
            "id": "IN-MAL-2026-004531",
            "import_time": "2026-05-26T05:52:47.211726678Z"
        },
        {
            "versions": [
                "2.1.0"
            ],
            "sha256": "8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T03:21:55Z",
            "id": "IN-MAL-2026-004571",
            "import_time": "2026-05-26T05:52:51.826577005Z"
        },
        {
            "versions": [
                "2.0.4"
            ],
            "sha256": "8ecf975548646b17ed1c53831a81e29d77e83b1d7e4a7fe3590b4137d2e42290",
            "modified_time": "2026-05-24T18:54:49Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004528",
            "import_time": "2026-05-26T05:52:46.85816742Z"
        },
        {
            "versions": [
                "2.2.0"
            ],
            "sha256": "95daa936a966544b2c598bbd6a6fc771b43e03453aaff47e5cd83e4b02333e21",
            "modified_time": "2026-05-25T04:07:42Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:52.702562356Z",
            "id": "IN-MAL-2026-004579"
        },
        {
            "versions": [
                "2.0.7"
            ],
            "sha256": "9bc8c3b7d67f4a8ab3c0466068012b0bcffac805213849504f3ddd7144f8bf6c",
            "modified_time": "2026-05-24T18:58:50Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:47.091073328Z",
            "id": "IN-MAL-2026-004530"
        },
        {
            "versions": [
                "2.0.5"
            ],
            "sha256": "faee19fd1f85f957ad93ed0f6eb64bea5e1db5d63b2160df137a2ef417b4a8d4",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T18:57:38Z",
            "id": "IN-MAL-2026-004529",
            "import_time": "2026-05-26T05:52:46.965651684Z"
        }
    ]
}
References
Credits

Affected packages

npm / shiroai

Package

Affected ranges

Affected versions

2.*
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "shiroai-2.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-+I2Y9eLvaJqGBIDZD4MBTPY38sfA/UE7J2Qy4zb+96aNn+jMd3bhvOoQzKU+MZ/ODWIpQPzCrgOZcTJ1vj9IwA==",
                "sha1": "0df903413dcd7c04a7da8688ca9771e1fa22fcb2"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "b59fdad1da29ea9ed7e2cc04e54cf79905cae7db3f8c3c877b1f048df1ef8445",
            "path": "cli.js",
            "tlsh": "a6b2b59618fb61315677a0386b8b601bb63dd6333000e920b5dc83145fd9a68c6ebbed"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shiroai/MAL-2026-4669.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]