MAL-2026-6256

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@withgoogle/stitch-sdk/MAL-2026-6256.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6256

Published

2026-06-20T12:00:00Z

Modified

2026-06-23T21:01:22.456824637Z

Summary

Malicious code in @withgoogle/stitch-sdk (npm)

Details

@withgoogle/stitch-sdk is a scope-squatting package on npm that impersonates Google's Stitch AI design tool SDK. The attacker registered the @withgoogle scope to mimic Google's withgoogle.com domain and published versions 0.1.1 and 0.1.2 under the account maximus-mcmillan on June 19, 2026. The package runs a credential harvester from a preinstall hook (scripts/preinstall.js) and an identical CLI binary (bin/cli.js). On install it scrapes email addresses and credentials from Claude Code authentication, git config, ~/.git-credentials, ~/.ssh/*.pub, the GitHub CLI, ~/.npmrc, and ~/.docker/config.json, then exfiltrates them to https://stitch-production.org/api/v1 over HTTPS with TLS verification disabled (rejectUnauthorized: false). The code is unobfuscated and relies on the trust of the @withgoogle scope name.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ffe3e7f674ed72b1e7f4cc8f75f8040e8e2efd91c98f3b0484dfdc7fe5347279)

Package is published under the @withgoogle npm scope but the package.json author is 'Maximus McMillan' with repository github.com/maximus-mcmillan/stitch-sdk — there is no Google affiliation. scripts/preinstall.js runs automatically on npm install and enumerates installer-side identity and credential sources: git config user.email (--global/--system), ~/.gitconfig, ~/.config/git/config, ~/.git-credentials (which stores plaintext https://user:token@host entries), ~/.ssh/*.pub, gh api user, claude auth status, npm config get email, ~/.npmrc (npm auth tokens), and ~/.docker/config.json (registry auth). The harvested values are HTTP-GET'd to https://stitch-production.org/api/v1?src=...&user=... with TLS verification explicitly disabled (rejectUnauthorized:false at scripts/preinstall.js:46) to ensure delivery. The hardcoded C2 base URL is at scripts/preinstall.js:26 (const STITCH_SERVER_BASE = 'https://stitch-production.org/api/v1'). The combination of @withgoogle scope impersonation, preinstall lifecycle execution, enumeration of canonical credential-file paths, and exfiltration to an attacker-controlled host with TLS verification disabled is a deliberate supply-chain attack against any developer or build system that installs this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b2169f45b1bccbdfa6770f0df01b247787d466438732a9e99da41b721c71a940",
            "import_time": "2026-06-23T20:48:31.28226437Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:36:59Z",
            "versions": [
                "0.1.5"
            ],
            "id": "IN-MAL-2026-007362"
        },
        {
            "sha256": "bab8846780175f96cb03d7e9026fe9377429830762509860ce735f4623ee9fc0",
            "id": "IN-MAL-2026-007363",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:37:03Z",
            "versions": [
                "0.1.4"
            ],
            "import_time": "2026-06-23T20:48:31.387547554Z"
        },
        {
            "sha256": "d8050a859b7a3791ed5cb4cbcbbc5f280c75c69c916a69307c0f57e12a5f20c0",
            "import_time": "2026-06-23T20:48:31.612440061Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:37:04Z",
            "versions": [
                "0.1.1"
            ],
            "id": "IN-MAL-2026-007365"
        },
        {
            "sha256": "ffe3e7f674ed72b1e7f4cc8f75f8040e8e2efd91c98f3b0484dfdc7fe5347279",
            "import_time": "2026-06-23T20:48:31.712517014Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:37:09Z",
            "versions": [
                "0.1.3"
            ],
            "id": "IN-MAL-2026-007366"
        },
        {
            "sha256": "6edcc9c4a60feb2f1f4a7fbc6f461202aeab3b9dc167d746d8770bcfa6ed202a",
            "import_time": "2026-06-23T20:48:31.471162308Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T20:37:03Z",
            "versions": [
                "0.1.2"
            ],
            "id": "IN-MAL-2026-007364"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @withgoogle/stitch-sdk

Package

Name: @withgoogle/stitch-sdk; View open source insights on deps.dev
Purl: pkg:npm/%40withgoogle%2Fstitch-sdk

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@withgoogle/stitch-sdk/MAL-2026-6256.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "964edea555e5c959d4705dbbc8f9d845254ffffe98346f3e8b2eaf21f8d95190",
            "tlsh": "33d132b70aeb233430d6e8ad874f5136626bf0237605d590b85db2589fcd03856e1afe",
            "path": "scripts/preinstall.js"
        },
        {
            "tlsh": "68112932cf385c7317cc27a26c394291fa51984b4934fc1972e7519c8b8d26b16be5ac",
            "sha256": "c044f05e25cdc26ea7f0096cbcd8985c208805aaa55284ee93b197fe5b027263",
            "path": "package.json"
        },
        {
            "sha256": "1cee955bd92fb57e8951e8ec82f92751d1d0e3a49b9131f8b723c138de35b178",
            "tlsh": "72f1847b19ab233431d6e5ad834f8132b27af0177205d190b86db3885fcd0385692afa",
            "path": "bin/cli.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "stitch-sdk-0.1.5.tgz",
            "hashes": {
                "sha1": "b61a062df2b83eb3368da1792fc9b6719f28654a",
                "sha512_sri": "sha512-2VqODian6kN59wE0D1rKFolIfpk7KJmO/3qjM2ZrHmXGQMZrrrfrsrLQWRoFLfzXQtcQcSLWHkvHV/D2qz5OPQ=="
            }
        }
    ]
}