{"id":"MAL-2026-4472","summary":"Malicious code in @zhengshuo888/huoke (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab)\nOn npm install, the package's postinstall hook runs `node bin/huoke.js install-skill`, which uses `execSync` to invoke `curl -fsSL` against `https://raw.githubusercontent.com/amswf/huoke/main/SKILL.md` and writes the response into `~/.hermes/skills/.../SKILL.md` and `~/.openclaw/skills/...`. The URL is on a personal GitHub user's account (`amswf`) that does not match the package's declared repository (`huoke-link/huoke-skill`), points at a mutable `main` branch, and the fetched content is not hash- or signature-verified. The package already ships a `SKILL.md` in the tarball, but the postinstall ignores it and refetches remotely, so the file the AI ends up loading is whatever the controller of that personal repo serves at install time — not the file npm reviewed. The installed SKILL.md is loaded by Hermes/OpenClaw as agent instructions and contains `curl` directives that the user's AI agent executes with the user's bearer tokens, giving the controller of `github.com/amswf/huoke` an install-time channel to direct privileged actions on the installer's machine. Separately, `bin/huoke.js` defaults its server endpoint to `http://huoke.link` (plaintext HTTP) with a hardcoded shared bearer `sk_clawx_dev_2026`, so the credential-setup flow it advertises transmits the installer's email, verification code, and password in cleartext under a key shared by every installer — a quality issue layered on top of the install-time-fetch concern.\n","modified":"2026-05-26T06:02:07.385338968Z","published":"2026-05-21T04:39:55Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T04:40:00Z","id":"IN-MAL-2026-003740","source":"amazon-inspector","sha256":"6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab","versions":["1.0.0"],"import_time":"2026-05-26T05:51:13.496186554Z"},{"modified_time":"2026-05-21T04:39:55Z","id":"IN-MAL-2026-003739","source":"amazon-inspector","sha256":"acb113efaf3da376f3e05a0bc0d39f144f8c1b4fda7c76b5a54a6612285f4c1b","versions":["1.0.1"],"import_time":"2026-05-26T05:51:13.383159103Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zhengshuo888/huoke/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@zhengshuo888/huoke/v/1.0.1"}],"affected":[{"package":{"name":"@zhengshuo888/huoke","ecosystem":"npm","purl":"pkg:npm/%40zhengshuo888%2Fhuoke"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@zhengshuo888/huoke/MAL-2026-4472.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-VQz/5XH33bvZLPt4Z4g0VX8FEqT/N+7+GaTjYOSSXkncj4lq9dpSWKIstc5zKhHxCJxg1/MoXteIVxQrTHryzQ==","sha1":"20db0efaf8500debb0cbbe26adf0d9e70999feb0"},"filename":"huoke-1.0.0.tgz"}],"evidence_files":[{"path":"bin/huoke.js","sha256":"b1f808358328c819433eebc63742832687e3855b402dbaae0f60c5badbdbadcc","tlsh":"b81270b649f76530a673e28c6b47241a7126f9133604dc90b39c83962fdb670c663afd"},{"path":"package.json","sha256":"1c518b25094a49cc11e6d62dea6802cb02baf45b5a8507e4ae2e6cdbe3053f9d","tlsh":"16014930c9347c7318d546a8ac6a0982b1124d1708443c0aa3db245ebfaf76f91bf339"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}