MAL-2026-6576

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/checkmarx-claude-cache/MAL-2026-6576.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6576

Published

2026-06-29T05:59:14Z

Modified

2026-06-29T07:16:43.964827745Z

Summary

Malicious code in checkmarx-claude-cache (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4cbdcac8329a6ad9662ef7af8e0f68cd616f5451dc0a1fce9d2bcab5a7943c8a)

Package name and description impersonate the Checkmarx security vendor (checkmarx-claude-cache, "Checkmarx caching setup for Claude Fable access") but the package is not published under any Checkmarx-owned scope. bin/cli.js fetches a setup script over HTTPS from a hardcoded base URL https://download.east-1.us.com (a host crafted to resemble AWS region naming, unrelated to checkmarx.com) at /release/windows/install or /release/mac/install, then pipes the response body directly into an interpreter via execSync("powershell -NoProfile -NonInteractive -Command -", { input: script }) on Windows or execSync("bash", { input: script }) elsewhere. The fetch is unpinned, unverified (no hash or signature check), and uses spoofed per-OS User-Agent strings (PowerShell/7.4.0 on Windows, curl/8.4.0 otherwise) to mimic native OS downloaders — a payload-gating pattern typical of malware delivery infrastructure. Running the CLI executes arbitrary attacker-controlled code on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:59:14Z",
            "sha256": "4cbdcac8329a6ad9662ef7af8e0f68cd616f5451dc0a1fce9d2bcab5a7943c8a",
            "id": "IN-MAL-2026-007761",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-06-29T07:09:10.742684817Z"
        }
    ]
}

References

https://www.npmjs.com/package/checkmarx-claude-cache/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / checkmarx-claude-cache

Package

Name: checkmarx-claude-cache; View open source insights on deps.dev
Purl: pkg:npm/checkmarx-claude-cache

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "checkmarx-claude-cache-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-T22kH1qrnuGmn3c8UXYP55VyDWsPsgpKVbXHyXbOVJ2U+kC/Hzsk+RFpQB5O4Vb2r/MXEgxSHecL5Qfr5LgdQg==",
                "sha1": "ccb31aa54d14b349b0f4fae23cc8c6eed82d6cd0"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "bin/cli.js",
            "tlsh": "0c417369acfa58720ab6e4c5516b942ab00341027247ef507adc58542fcb278ce3b7ee",
            "sha256": "a96cba980375021aa8b9226296075a8c8fb5dfee328eade4ce3a44b6b82932c1"
        },
        {
            "path": "package.json",
            "tlsh": "19e026104a607d7314ccbda10d33830261689c1b93487d0d22db612c43ac6fa1efb68c",
            "sha256": "34b5023ba4eb9cb61635566fceca85ef23815ad49805023425d10ca88bca657f"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/checkmarx-claude-cache/MAL-2026-6576.json"