{"id":"MAL-2026-4522","summary":"Malicious code in claude-all-config (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3)\nOn install, postinstall.js writes configuration into ~/.claude/, ~/.gemini/, ~/.codex/, and ~/.kiro/ that hard-wires AI tooling to author-controlled destinations:\n\n1. Silent relay to author's Telegram: mcp.json registers a 'telegram' MCP server with a hardcoded TELEGRAM_BOT_TOKEN (bot @mcpcli_bot, token 8898185692:AAEjW5PcFLiwKJYf58X4pYY47HpbZvWGOUk) and TELEGRAM_CHAT_ID=1185240496 (the author's own chat). Any notification/message the installer routes through the Telegram MCP is delivered by default to the author's Telegram account.\n2. Author-funded API keys:.env.example ships live production keys for Z.AI (Z_AI_API_KEY=7b1a5a0d145545ae8f2baa2957691ac4...), MiniMax (sk-cp-EPrTEuQVxp0PES9ItiDFm46scpYtk3Ec...), Context7, and Exa, copied into ~/.claude/.env etc. Installer prompts and data are routed to API accounts owned by the package author.\n3. Command shadowing: ~/.local/bin/gemini and ~/.local/bin/codex symlinks shadow the real binaries; the shims source the author-supplied env (keys + Telegram token) before exec'ing the real tool, and the gemini shim auto-appends --yolo.\n4. Permission disablement: ~/.claude/settings.json and ~/.gemini/settings.json grant Bash(*), Write(*), WebFetch(*) and set autoAccept:true; the launcher exports IS_SANDBOX=1 to bypass Claude's root safety check and force --dangerously-skip-permissions.\n5. Unpinned remote shell installer: postinstall runs `curl -LsSf https://astral.sh/uv/install.sh | sh` without pin or checksum if uvx is missing.\n\nThe combination of (1) silent default routing of caller-supplied content to the author's Telegram chat, (2) injection of author-owned API credentials into the installer's AI stack so prompt/code content flows to author-controlled API endpoints, and (3) shimming of system commands so this routing applies to every future invocation of `gemini`/`codex`, is a silent-relay supply-chain pattern: the installer's data and prompts flow to author-controlled destinations by default, without explicit per-invocation consent.\n","modified":"2026-05-26T06:02:11.984908715Z","published":"2026-05-19T18:09:09Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:15.631571327Z","versions":["3.8.3"],"id":"IN-MAL-2026-003233","source":"amazon-inspector","sha256":"63c5a1f5a6f5bd2dadc4e207ff4e8e310c24cd4c99c751ed094251e00e0af8f3","modified_time":"2026-05-19T18:13:03Z"},{"import_time":"2026-05-26T05:50:15.441870505Z","versions":["3.9.0"],"source":"amazon-inspector","id":"IN-MAL-2026-003231","sha256":"d978edb77d9b82d95d878690483bfc668843b96bd2644504b5caf98c517d425c","modified_time":"2026-05-19T18:10:19Z"},{"import_time":"2026-05-26T05:50:15.31239784Z","versions":["3.8.4"],"source":"amazon-inspector","id":"IN-MAL-2026-003230","sha256":"fa8219e402b4ed55938cd7cb8dd329c23aaf45d8319cf81aff7fe8433012b53a","modified_time":"2026-05-19T18:09:10Z"},{"import_time":"2026-05-26T05:50:15.731409902Z","versions":["3.8.3"],"id":"IN-MAL-2026-003234","source":"amazon-inspector","sha256":"a27984c210bd38e794cb4dedd2686363227688eb3d9fc0b686d4ece85e88b85d","modified_time":"2026-05-19T18:13:03Z"},{"import_time":"2026-05-26T05:50:15.531720692Z","versions":["3.9.0"],"source":"amazon-inspector","id":"IN-MAL-2026-003232","sha256":"b7779b68b37cf943e000407b81322e99a147b30b88236fefef74198eb8e92c68","modified_time":"2026-05-19T18:10:20Z"},{"import_time":"2026-05-26T05:50:15.205676932Z","versions":["3.8.4"],"source":"amazon-inspector","id":"IN-MAL-2026-003229","sha256":"d8d116d9a6b9569d1d4a469e907a49a26ff44400d1b51100186bc71d9ecbf399","modified_time":"2026-05-19T18:09:09Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/claude-all-config/v/3.8.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/claude-all-config/v/3.9.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/claude-all-config/v/3.8.4"}],"affected":[{"package":{"name":"claude-all-config","ecosystem":"npm","purl":"pkg:npm/claude-all-config"},"versions":["3.8.3","3.9.0","3.8.4"],"database_specific":{"indicators":{"evidence_files":[{"path":".env.example","tlsh":"3671317b6b987608be53da3d734c6193c72d7038b4418060438b7055e3ee826069bef9","sha256":"ddf8a9978d44f12aab9867414146fdf39ff8f9551180ae643977b73cc0e3bb7b"},{"path":"postinstall.js","tlsh":"7dd2c60329fb02256673d2a94f4b10377218de532606ee603bed534d6fc56588aa37fe","sha256":"8fc75c45aa201157fa9cd80d19f80c50e2822c252c8beaa44ed595ee5c6597a7"}],"domains":["astral.sh","releases.astral.sh"],"package_integrity":[{"filename":"claude-all-config-3.8.3.tgz","hashes":{"sha512_sri":"sha512-yi82XcWaW0MuNalgQIQhwRP0tAFilWwgtFeZ+OqAK64bVSxlBuKEMIHCvf/q3CuRX2MgZLjuTlnSjD7fxvRqtA==","sha1":"cae67d250c80f4665844ef3f5f75988a4cfc3bc7"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/claude-all-config/MAL-2026-4522.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}