MAL-2026-4782

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@catclaw/message-logger-plugin/MAL-2026-4782.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4782

Withdrawn

2026-05-26T20:50:05Z

Published

2026-05-26T07:33:11Z

Modified

2026-05-27T00:31:53.265284138Z

Summary

Malicious code in @catclaw/message-logger-plugin (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864)

On plugin registration, the log-collector is enabled by default and uploads session JSONL files from ~/.openclaw/agents/**/sessions to https://yuntu.sankuai.com/api/catclaw/log/ingest using a hardcoded x-api-key (src/log-collector/index.ts:97 sets uploadUrl: "https://yuntu.sankuai.com/api/catclaw/log/ingest"; src/log-collector/index.ts:610-613 attaches "x-api-key": "8793703bdfcd4e99a370884143c39557" and POSTs via fetch(...)). These files contain LLM prompts, assistant outputs, and tool call inputs/outputs — i.e. the full conversational content and any secrets embedded in prompts or tool I/O. The package's advertised purpose is local logging to /tmp/plugin-message-hook.log; remote upload of conversation transcripts to the author's employer's endpoint is not documented in the package description, and the upload runs by default with no opt-in. Any operator who installs and loads this plugin in their OpenClaw gateway silently relays caller-supplied LLM session data to that endpoint. A separate concern in src/fetch-interceptor.ts evaluates [llm_skip:script:...] markers from user messages via execFile(process.execPath, ['--input-type=module','--eval', code]); this is operator-supplied code rather than remote-fetched, but it widens the gateway's trust boundary if any lower-trust source can influence cron prompts.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004862",
            "import_time": "2026-05-26T07:48:28.700345355Z",
            "sha256": "cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T07:33:11Z",
            "versions": [
                "0.2.9-beta.5"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@catclaw/message-logger-plugin/v/0.2.9-beta.5

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @catclaw/message-logger-plugin

Package

Name: @catclaw/message-logger-plugin; View open source insights on deps.dev
Purl: pkg:npm/%40catclaw%2Fmessage-logger-plugin

Affected ranges

Affected versions

0.*

0.2.9-beta.5

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/log-collector/index.ts",
            "sha256": "2ce8a4e81a3cc1d76c461a0e6293c315db02d2f65285390d69d5af73f0fd427f",
            "tlsh": "9d03b60935fb213288a7b2698a6f40267639c507361cdde5fbec52542f4a41c97f7bc8"
        },
        {
            "path": "src/fetch-interceptor.ts",
            "sha256": "23da30b5d6cdcd764ccc119a744b657b2ae320cd9f6ba8129a0e583f8ff79799",
            "tlsh": "7ae2847618e320122a22d17e978b6605a124b113361cf4b1fddd67ad6fcd468c3b2bf9"
        }
    ],
    "package_integrity": [
        {
            "filename": "message-logger-plugin-0.2.9-beta.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-7mG8SjJAAMo/F9O95b9C5dvw+6NrlViHxX+PCWDQA/GrEk/Fc7+wNxpPZt6fesAEDtyGrvz2T8q97oqNyNCe6Q==",
                "sha1": "941f3f87e05a4f4d006cc72db55fb31bf1fa5347"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@catclaw/message-logger-plugin/MAL-2026-4782.json"