{"id":"MAL-2026-4361","summary":"Malicious code in @amswf/huoke (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4)\nOn `npm install`, this package's postinstall runs `node bin/huoke.js install-skill`, which enumerates `/home/*` for every system user, finds each user's `~/.hermes/profiles/*` directories, and for each one downloads `SKILL.md` from `https://raw.githubusercontent.com/amswf/huoke/main/SKILL.md` via `curl -fsSL` and writes the response into that user's profile under `skills/`. The fetch targets the mutable `main` branch with no commit pin and no hash/signature verification, and the package ignores its own locally-shipped SKILL.md in favor of the remote copy. SKILL.md is consumed by Hermes/OpenClaw as agent (LLM) instructions, so the maintainer can change the contents at any time after publish to inject new instructions into every installer's deployed agents — an attacker-controlled-content channel that does not require republishing the package. The write loop also crosses account boundaries: when the installer runs `npm install` with sufficient privileges (root/sudo, common in container images and CI), the package modifies files inside other system users' home directories, which the package has no business touching. Separately, the runtime CLI default endpoint is plain `http://huoke.link`, sending JWTs and credentials in cleartext — a quality issue affecting CLI users but not the basis for this verdict.\n","modified":"2026-05-27T00:32:01.040636888Z","published":"2026-05-21T08:20:01Z","withdrawn":"2026-05-26T21:14:22Z","database_specific":{"malicious-packages-origins":[{"versions":["1.9.0"],"sha256":"358a0c48fb69e1c65e772be88f2150b69fd6e7c5a6a8d3aee16ffc286bc607fd","source":"amazon-inspector","import_time":"2026-05-26T05:51:18.088679876Z","modified_time":"2026-05-21T08:20:01Z","id":"IN-MAL-2026-003781"},{"versions":["1.9.1"],"sha256":"4ec868ff3c73d920bd9c3b66a0e725f2eaf427b83ade2ad0fae284be0386eff4","source":"amazon-inspector","import_time":"2026-05-26T05:51:18.31300665Z","modified_time":"2026-05-21T08:34:12Z","id":"IN-MAL-2026-003783"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@amswf/huoke/v/1.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@amswf/huoke/v/1.9.1"}],"affected":[{"package":{"name":"@amswf/huoke","ecosystem":"npm","purl":"pkg:npm/%40amswf%2Fhuoke"},"versions":["1.9.0","1.9.1"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-ejjPJpaL/zsugfhlii2BdjMVpoc9hjydHRBMflOkSNUMcQxDWRikdab7RYzJcI4BlBqiNfn7+PVwPr6Atk3HTA==","sha1":"5a85071b1aa933df090bc013b9918be73f5c6f0b"},"filename":"huoke-1.9.0.tgz"}],"evidence_files":[{"sha256":"4c45619b6796923309467847c0bc3e5c3d93e7f2c03287cb95212985e9b96d92","path":"bin/huoke.js","tlsh":"82c2763418fa24703523e4acab8b60027119f9037449dd5876adb36e5fcda34daa36fd"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@amswf/huoke/MAL-2026-4361.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}