{"id":"MAL-2026-4397","summary":"Malicious code in @jemavidev/betteragents-pi (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd)\nThe package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical `sk-or-v1-` prefix from `openrouter.io/settings/keys`. However, the legitimate OpenRouter service is `openrouter.ai` — `openrouter.io` is a different-TLD lookalike. `dist/src/provider.js` line 8 hardcodes `this.baseURL = 'https://openrouter.io/api/v1'`, and every registered tool (ba_analyze, ba_generate, ba_secure, ba_test, ba_document, ba_design, ba_clean, ba_infra) forwards user-supplied code and prompts along with the `OPENROUTER_API_KEY` bearer token to that domain. README.md and.env.example reinforce the steering by directing users to register accounts and obtain keys at `openrouter.io`. The combined effect is that any caller of these tools silently relays their source code, prompts, and a bearer token (which they likely believe is for the real OpenRouter) to a domain controlled by a different operator. Whether the destination is an outright phishing/credential-capture site or a different service intentionally trading on OpenRouter's branding, the installer-facing harm is the same: caller-supplied data and credentials are siphoned to a non-canonical destination under a misleading identity.\n","modified":"2026-05-27T00:31:56.200396281Z","published":"2026-05-20T22:11:01Z","withdrawn":"2026-05-26T21:28:12Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003640","import_time":"2026-05-26T05:51:01.124205051Z","sha256":"09772ac9ab4ea0150a0879fef2d531602a4a6a24fa851c8b96d9c6d2d1334751","modified_time":"2026-05-20T22:24:29Z","versions":["0.1.3"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003624","import_time":"2026-05-26T05:50:59.343939936Z","modified_time":"2026-05-20T22:11:01Z","sha256":"310b85c2feab0f5c9bf260a968751dcdc4bcf45143112e010c2b8a8df49ba513","versions":["0.1.1"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003627","import_time":"2026-05-26T05:50:59.684594988Z","sha256":"651f2bb2588a8db77facaca911d4be6e18498b14276989e48411d11bbeab699c","modified_time":"2026-05-20T22:14:26Z","versions":["0.1.7"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003625","import_time":"2026-05-26T05:50:59.460242034Z","sha256":"e49f48ca508619fc80ae4cddcb3a72600845a6a11fc7cf4cec81c539387e8f7a","modified_time":"2026-05-20T22:11:01Z","versions":["0.1.1"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003628","import_time":"2026-05-26T05:50:59.80543615Z","modified_time":"2026-05-20T22:14:27Z","sha256":"43eb704df1102fa889608d3777d3495e6ad9b3a0833fdd85cdd76a3f2f09f240","versions":["0.1.7"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003630","import_time":"2026-05-26T05:51:00.036101999Z","sha256":"4d11450bca14285c70bf66d118678914d4e58e32bca62c944cd2bdbf132354a3","modified_time":"2026-05-20T22:16:03Z","versions":["0.1.5"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003638","import_time":"2026-05-26T05:51:00.913825165Z","sha256":"df31f13595a6344d2a462598d0c6c13e6b11162c346fe955f12ea3edb3633e10","modified_time":"2026-05-20T22:20:52Z","versions":["0.1.4"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003632","import_time":"2026-05-26T05:51:00.263003176Z","sha256":"171e5407f66fff1e2fbd5c6414a41478aff532587dfa429e2ce1768721cd8d78","modified_time":"2026-05-20T22:16:38Z","versions":["0.1.9"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003635","import_time":"2026-05-26T05:51:00.601790963Z","sha256":"3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd","modified_time":"2026-05-20T22:18:50Z","versions":["0.1.11"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003642","import_time":"2026-05-26T05:51:01.412015973Z","sha256":"67bfa397f94dad51f863aa7902c68f92082672f886d3f146b0aa1145c4d5b335","modified_time":"2026-05-20T22:24:41Z","versions":["0.1.10"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003636","import_time":"2026-05-26T05:51:00.709299923Z","sha256":"734b55875c40efc6c5a72151d52bd43dce245bd54ff3c13b27040fb8f0102edb","modified_time":"2026-05-20T22:18:50Z","versions":["0.1.11"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003641","import_time":"2026-05-26T05:51:01.272446853Z","sha256":"c79831fcb2d77976b35d6476f95a5f062e650879ecd8900d876f4679b988ab12","modified_time":"2026-05-20T22:24:29Z","versions":["0.1.3"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003631","import_time":"2026-05-26T05:51:00.14835261Z","sha256":"caefee5d128f50ad4df4612cfbcdc32cc9b18110607045ba50a280b24005b028","modified_time":"2026-05-20T22:16:37Z","versions":["0.1.9"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003643","import_time":"2026-05-26T05:51:01.553198341Z","sha256":"76f9a15d5658ba119fe00639c9c7acffbd3985843e010d812d35eeeeb6d7276d","modified_time":"2026-05-20T22:24:42Z","versions":["0.1.10"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003637","import_time":"2026-05-26T05:51:00.806061432Z","sha256":"7fc384a5c6f40ab626f658cf7c0e27a7ae5acd35e9d98ba40196296d79c50f31","modified_time":"2026-05-20T22:20:52Z","versions":["0.1.4"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-003629","import_time":"2026-05-26T05:50:59.921821067Z","modified_time":"2026-05-20T22:16:02Z","sha256":"ac4e571f592eea498408cd93b5a9e68a18e898a4ddd2eea4904f66134d574835","versions":["0.1.5"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@jemavidev/betteragents-pi/v/0.1.5"}],"affected":[{"package":{"name":"@jemavidev/betteragents-pi","ecosystem":"npm","purl":"pkg:npm/%40jemavidev%2Fbetteragents-pi"},"versions":["0.1.3","0.1.1","0.1.7","0.1.5","0.1.4","0.1.9","0.1.11","0.1.10"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@jemavidev/betteragents-pi/MAL-2026-4397.json","indicators":{"domains":["34.0.16.104.in-addr.arpa","34.1.16.104.in-addr.arpa"],"package_integrity":[{"hashes":{"sha1":"38ebfeaa1f0599badc3baf6fdde61a71e24ab157","sha512_sri":"sha512-Db4LX84KA6x+e+qc5cy0SFC2RoX4DVGuI0yHY4Zgvnc+HDDCzqGbMRoSFtRiOOGdgDWkuhrJ3OFdvNR19at3jQ=="},"filename":"betteragents-pi-0.1.3.tgz"}],"evidence_files":[{"tlsh":"d7610daa18b32915861752b6ffdf31156029f40b2d4cbcbcb74c46c44f9a0188bb6fa8","path":"dist/src/provider.js","sha256":"2d9f3941d3063eb24dbdbf6076a76eced64427ade40a8e3f3f3833540c597be8"},{"tlsh":"7a321a3f409431ba1a37867eb11bf597eb63d0962584993970dc8208bf6d75ec26f28c","path":"GETTING_STARTED.md","sha256":"528959ca22451cc73a6013c4127fd83e6139063dc14b34af5071bfa3184ecdce"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}