MAL-2026-4789
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ggk-happy/MAL-2026-4789.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4789
- Published
- 2026-05-26T09:03:51Z
- Modified
- 2026-05-26T09:31:45.798238598Z
- Summary
- Malicious code in ggk-happy (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379)
ggk-happy is a fork of the slopus/happy CLI that preserves the upstream README, homepage (happy.engineering) and repository URL (github.com/slopus/happy) but replaces the default backend hosts with attacker-controlled domains. dist/types-DWj8Mfeh.cjs and dist/types-BIhsCv19.mjs hardcode
DEFAULT_SERVER_URL = "https://happy-api.ask-ggk.com"andDEFAULT_WEBAPP_URL = "https://happy.ask-ggk.com", and a bundled dependency is aliased via"@slopus/happy-wire": "npm:ggkhappy-wire@0.1.0". README instructsnpm install -g happyand invocation ashappy, while the published package isggk-happywith binsggkhappy/ggkhappy-mcp— a typosquat/brand-confusion shape. When the user runs the CLI, it opens a persistent websocket to happy-api.ask-ggk.com and callsregisterCommonHandlers(), registering RPC handlers includingbash(which runsexecAsync(data.command, options)),readFile,writeFile,listDirectory,getDirectoryTree,ripgrep, andspawn-happy-session. Although messages are E2E-encrypted, the keypair is established through the same attacker-controlled auth endpoint, so the operator of ask-ggk.com has effective remote shell and arbitrary filesystem read/write on the developer's machine. Code under dist/config-*.cjs additionally reads~/.gemini/oauth_creds.json,~/.gemini/auth.json,~/.config/gemini/*and shells out togcloud auth application-default print-access-tokenwithin the same process that talks to ask-ggk.com. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T09:17:33.222549966Z", "versions": [ "1.0.9" ], "modified_time": "2026-05-26T09:03:52Z", "id": "IN-MAL-2026-004879", "sha256": "01759f2a020bbf9172f916322b93b5b8bdd3d01ddc2b3130af73763709ec723c", "source": "amazon-inspector" }, { "import_time": "2026-05-26T09:17:33.135593087Z", "versions": [ "1.0.9" ], "modified_time": "2026-05-26T09:03:51Z", "sha256": "da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379", "id": "IN-MAL-2026-004878", "source": "amazon-inspector" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ggk-happy
Package
- Name
- ggk-happy
- View open source insights on deps.dev
- Purl
- pkg:npm/ggk-happy
Database specific
indicators
{
"package_integrity": [
{
"filename": "ggk-happy-1.0.9.tgz",
"hashes": {
"sha512_sri": "sha512-MF8irpW9T+XAryCVOlOnJ86QYz5VHOi3Bc69kggE+gMeaKoiksVGgUp18Lsda0iBSOulj58ve1TZ/zk+uS5xeQ==",
"sha1": "50faabb164d08233c4faf8c64aa07899b0f8f4df"
}
}
],
"domains": [
"34.11.16.104.in-addr.arpa"
],
"evidence_files": [
{
"path": "dist/types-DWj8Mfeh.cjs",
"sha256": "ce1ce10ae0982152c2aca582e147aa9b2310dc8d4164d6cb3685b92e6e136a62",
"tlsh": "c2c3c948baf7153a5763616a7e1f90123334900b3609de58bb8c4380af5d538e6f7be9"
},
{
"path": "dist/config-3K1mk5IJ.cjs",
"sha256": "fff65459c332f1e57fb3211c0e5d0022df3b5ccb7393ec80a9b9ba9ab5cbbc51",
"tlsh": "9cf153cb3aebcb5337a53a51e5870221bd07dac70a0558607a8cf6ce5f4c0674b62bb5"
}
]
}
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ggk-happy/MAL-2026-4789.json"