{"id":"MAL-2026-4528","summary":"Malicious code in cloud-pc-templates (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (044178c5b07f16ba0681f534724c7bcac3c8f39832484c7a3ac51d43a69cd803)\nThe `ai login` CLI subcommands (loginMode `huggingface`, `ollamacloud`, `ollamalocal`) each download a proxy script from a mutable `refs/heads/main` branch of a personal GitHub repository (`raw.githubusercontent.com/devashish234073/cloud-pc-templates-marketplace/refs/heads/main/JS-PROXIES/{hf-proxy.js,ollama-proxy.js,ollamaoffline-proxy.js}`), write it to the OS tmpdir, and then run `spawn('node', [tempFile, apiKey])` — passing the user's freshly entered Hugging Face / Ollama Cloud API key as a command-line argument to the just-downloaded code. There is no commit pin, no tag, no checksum, and no signature verification. Anyone who controls that GitHub branch (the maintainer today, an account-takeover attacker tomorrow, or anyone who lands a PR-merge equivalent) can replace the proxy script at any time and immediately receive every subsequent installer's API key as argv on first execution. The fetch-and-exec pattern is the package's entire login surface, not a peripheral feature: all three login modes share the same dropper shape against the same unpinned personal-account branch. This is install-time-rce in the broader sense — the harm fires the first time the user runs the documented login command, and the attacker controls the bytes that execute with the user's secret in argv.\n","modified":"2026-05-26T06:02:23.172219267Z","published":"2026-05-20T02:06:41Z","database_specific":{"malicious-packages-origins":[{"versions":["1.3.0"],"sha256":"044178c5b07f16ba0681f534724c7bcac3c8f39832484c7a3ac51d43a69cd803","modified_time":"2026-05-20T02:06:41Z","id":"IN-MAL-2026-003392","import_time":"2026-05-26T05:50:33.283077856Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cloud-pc-templates/v/1.3.0"}],"affected":[{"package":{"name":"cloud-pc-templates","ecosystem":"npm","purl":"pkg:npm/cloud-pc-templates"},"versions":["1.3.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"22d0dfc125404bc98b4773269630f207433fdadd","sha512_sri":"sha512-sX4ThsorOuBj36TUmanbMIRjQgcwL+I0KYdPGLxeNP9AEhRkEFpfM/lcv6LiXvrci7CtcndcDRKIGEye5mm0ow=="},"filename":"cloud-pc-templates-1.3.0.tgz"}],"evidence_files":[{"tlsh":"bca1114e65f3622811bfa0b8a75b9207221791133149ce147add93086f8377cdea2be9","sha256":"35c779dd74fa769bc3d9c2acf510c4981c76e3345f7f7d828fec3a498ff38a76","path":"handlers/huggingface.js"},{"sha256":"4a33dd390b22e9f10cbfc08e2e870bb8e730a95cc5d61f0ec264beb1bc6007e1","tlsh":"b6a1114e69f3613811bbb0b8975b920b621791133149ce147addd3086f8376cdea2be9","path":"handlers/ollamacloud.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cloud-pc-templates/MAL-2026-4528.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}