MAL-2026-4789

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ggk-happy/MAL-2026-4789.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4789

Published

2026-05-26T09:03:51Z

Modified

2026-06-12T20:01:46.129578633Z

Summary

Malicious code in ggk-happy (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2a22c29c3d374a49fdb69fb941f2fb81e42b69006b8ed154eba8d365c755b245)

ggk-happy presents itself as the slopus/happy CLI (Mobile/Web client for Claude Code) — author metadata, homepage (happy.engineering), and repository (github.com/slopus/happy) all point at the legitimate upstream and the README still documents api.cluster-fluster.com as the default server. The shipped code, however, hardcodes different defaults: dist/types-CzmQ1hnz.cjs:174-175 sets DEFAULT_SERVER_URL = "https://happy-api.ask-ggk.com" and DEFAULT_WEBAPP_URL = "https://happy.ask-ggk.com", so any user running the CLI as documented routes every Claude Code session, login/auth flow, and machine metadata to ask-ggk.com instead of the publisher referenced in the README. In addition, at runtime the CLI fetches an opaque rtk binary from https://minio.ask-ggk.com/happy/rtk-<platform>.{zip,tar.gz} (mutable latest-style URL, no checksum or signature verification), writes it to ~/.local/share/ggkhappy/rtk/bin/rtk (or the Windows LOCALAPPDATA equivalent), executes it as rtk gain --all --format json, and POSTs the result together with the user's machineId and auth token to https://guguke.ask-ggk.com/api/v1/agent/rtk/gain/report (dist/index-PJG4KRwn.cjs:5856-5864). The downloaded binary's purpose has no relation to the advertised "Claude Code client" function, the host is not the impersonated publisher, and the same attacker domain mints the auth tokens being reported back. A scripts/postinstall.cjs hook additionally runs node bin/happy.mjs install on global installs, accelerating first contact with the attacker infrastructure. Combined, this is brand impersonation + silent relay of session traffic + runtime fetch-and-execute of an unverified binary from non-publisher infrastructure + exfiltration of host identity and binary output.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004879",
            "import_time": "2026-05-26T09:17:33.222549966Z",
            "versions": [
                "1.0.9"
            ],
            "modified_time": "2026-05-26T09:03:52Z",
            "source": "amazon-inspector",
            "sha256": "01759f2a020bbf9172f916322b93b5b8bdd3d01ddc2b3130af73763709ec723c"
        },
        {
            "source": "amazon-inspector",
            "import_time": "2026-05-26T09:17:33.135593087Z",
            "sha256": "da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379",
            "modified_time": "2026-05-26T09:03:51Z",
            "id": "IN-MAL-2026-004878",
            "versions": [
                "1.0.9"
            ]
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "1.2.12"
            ],
            "sha256": "2100cce0806532b2cd0d4d94e26b50d2ce769b18c9d5baa28609f3b73b34c500",
            "modified_time": "2026-06-12T19:08:37Z",
            "id": "IN-MAL-2026-006091",
            "import_time": "2026-06-12T19:44:07.078035065Z"
        },
        {
            "sha256": "2a22c29c3d374a49fdb69fb941f2fb81e42b69006b8ed154eba8d365c755b245",
            "import_time": "2026-06-12T19:44:06.973665186Z",
            "id": "IN-MAL-2026-006090",
            "modified_time": "2026-06-12T19:08:36Z",
            "versions": [
                "1.2.12"
            ],
            "source": "amazon-inspector"
        },
        {
            "id": "IN-MAL-2026-006088",
            "import_time": "2026-06-12T19:44:06.774671766Z",
            "versions": [
                "1.2.0"
            ],
            "modified_time": "2026-06-12T19:08:34Z",
            "source": "amazon-inspector",
            "sha256": "667e02b68cd88196d2c42798c03d0470c213cf37212ee5158a1d73750d2b358b"
        },
        {
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:06.857811737Z",
            "sha256": "c8481d1ce0252a2b05bc1e11282050aa8754d2dd24ddf51215361edbc6b0cef5",
            "modified_time": "2026-06-12T19:08:35Z",
            "id": "IN-MAL-2026-006089",
            "versions": [
                "1.2.0"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
  - inspector-research@amazon.com

Affected packages

npm / ggk-happy

Package

Name: ggk-happy; View open source insights on deps.dev
Purl: pkg:npm/ggk-happy

Affected ranges

Affected versions

1.*

1.0.9

1.2.0

1.2.12

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "ggk-happy-1.0.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-MF8irpW9T+XAryCVOlOnJ86QYz5VHOi3Bc69kggE+gMeaKoiksVGgUp18Lsda0iBSOulj58ve1TZ/zk+uS5xeQ==",
                "sha1": "50faabb164d08233c4faf8c64aa07899b0f8f4df"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ce1ce10ae0982152c2aca582e147aa9b2310dc8d4164d6cb3685b92e6e136a62",
            "tlsh": "c2c3c948baf7153a5763616a7e1f90123334900b3609de58bb8c4380af5d538e6f7be9",
            "path": "dist/types-DWj8Mfeh.cjs"
        },
        {
            "sha256": "fff65459c332f1e57fb3211c0e5d0022df3b5ccb7393ec80a9b9ba9ab5cbbc51",
            "tlsh": "9cf153cb3aebcb5337a53a51e5870221bd07dac70a0558607a8cf6ce5f4c0674b62bb5",
            "path": "dist/config-3K1mk5IJ.cjs"
        }
    ],
    "domains": [
        "34.11.16.104.in-addr.arpa"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ggk-happy/MAL-2026-4789.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]