{"id":"MAL-2026-4625","summary":"Malicious code in oh-langfuse (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037)\nThe package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding `--langfuseBaseUrl`, the setup writes `LANGFUSE_BASEURL=http://120.46.221.227:3000` together with hardcoded public and secret Langfuse keys into `~/.claude/settings.json`, `~/.codex/config.toml`, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcode `DEFAULT_LANGFUSE_BASE_URL = \"http://120.46.221.227:3000\"`, `DEFAULT_LANGFUSE_PUBLIC_KEY = \"pk-lf-da0c90a7-...\"`, and `DEFAULT_LANGFUSE_SECRET_KEY = \"sk-lf-0269b85d-...\"`; scripts/langfuse-setup.mjs and scripts/opencode-langfuse-run.mjs reuse the same secret-key default). The installed Python hooks then ship every Claude/Codex turn — user prompts, assistant responses, tool inputs, and tool outputs (which routinely include file contents and any secrets observed in tool calls) — to that bare IPv4 endpoint. The destination is the publisher's own Langfuse instance, presented to the operator only as a numeric IP with no publisher-domain branding, served over cleartext HTTP, and pre-authenticated with credentials baked into the package. An additional fallback path in scripts/langfuse-setup.mjs downloads a hooks zip from `https://gitcode.com/user-attachments/files/8187690/7a797a5314b9497cae7b055aa51be646.zip` via PowerShell Invoke-WebRequest and installs it as the Claude Code Stop hook when both `--pyPath` is absent and the bundled `langfuse_hook.py` is missing — normally bypassed, but a brittle path to third-party-hosted code that Claude Code will execute. The trigger is the operator running the CLI with defaults (or `--yes`), not `npm install`; however, the documented invocation pattern of this package is to run that CLI, and the default behavior silently relays caller-supplied agent data (containing the operator's own code and secrets) to a publisher-controlled destination.\n","modified":"2026-06-12T20:01:55.539115526Z","published":"2026-05-21T08:17:27Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003779","modified_time":"2026-05-21T08:17:36Z","source":"amazon-inspector","import_time":"2026-05-26T05:51:17.894266246Z","sha256":"b94251e0353c83033676a5e7b3a5c2b039b3e79914adda00d48aea70750a25bf","versions":["0.1.22"]},{"id":"IN-MAL-2026-003778","modified_time":"2026-05-21T08:17:27Z","source":"amazon-inspector","import_time":"2026-05-26T05:51:17.797617995Z","sha256":"d9c25790370e3598801d59f56a8b4b42b16922c718176c30185c649bdc34f9e5","versions":["0.1.21"]},{"id":"IN-MAL-2026-005994","sha256":"e1e95aab765fc3da4a5700e41ccdb26654ac4fc40e037966c019712d4c2ff55a","source":"amazon-inspector","versions":["0.1.28"],"modified_time":"2026-06-12T19:06:52Z","import_time":"2026-06-12T19:43:56.115185524Z"},{"id":"IN-MAL-2026-006003","versions":["0.1.48"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:07Z","import_time":"2026-06-12T19:43:57.165040541Z","sha256":"23c57256befdad12e934704b856b3dd9cfd8343482c675f709642ed98eb4c4c7"},{"id":"IN-MAL-2026-006009","versions":["0.1.56"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:17Z","import_time":"2026-06-12T19:43:57.852421122Z","sha256":"31e2892b19b71acdeb7c83110e7477977b77fcf79e1aa431a89af1a30e5e343e"},{"id":"IN-MAL-2026-005996","modified_time":"2026-06-12T19:06:55Z","source":"amazon-inspector","import_time":"2026-06-12T19:43:56.353706034Z","sha256":"6a75a00e851680ba5b54d5cb046f72296a04024d5cddcad78e2a8a55c0bd3e8f","versions":["0.1.31"]},{"id":"IN-MAL-2026-006005","versions":["0.1.50"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:10Z","import_time":"2026-06-12T19:43:57.400106664Z","sha256":"f6564dc8542644b56f90cdc08f94213a034ea320a029b5e6316561f2837f44f3"},{"id":"IN-MAL-2026-006002","sha256":"f28aebdb8470dfaf939d09cb8e1809eeaae0cba02dabad1d4d93646376a113fd","source":"amazon-inspector","versions":["0.1.46"],"modified_time":"2026-06-12T19:07:05Z","import_time":"2026-06-12T19:43:57.05642435Z"},{"id":"IN-MAL-2026-006008","versions":["0.1.53"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:15Z","import_time":"2026-06-12T19:43:57.758149101Z","sha256":"50ba28313c30557acc00a643b1ab490ab5d513df47c5278cfed0836e13b0b438"},{"id":"IN-MAL-2026-005999","sha256":"593939706990f776735dc778bc1e6e41a44a6bd7166e50a23376b1c48bac3042","source":"amazon-inspector","versions":["0.1.43"],"modified_time":"2026-06-12T19:07:00Z","import_time":"2026-06-12T19:43:56.763512539Z"},{"id":"IN-MAL-2026-006000","import_time":"2026-06-12T19:43:56.8587184Z","source":"amazon-inspector","sha256":"83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037","versions":["0.1.44"],"modified_time":"2026-06-12T19:07:02Z"},{"id":"IN-MAL-2026-005997","versions":["0.1.38"],"source":"amazon-inspector","modified_time":"2026-06-12T19:06:57Z","import_time":"2026-06-12T19:43:56.525541675Z","sha256":"98ab175d2e12969d09ba6f27b976441a4d9c9eec25f040410b2dc006e6ef3926"},{"id":"IN-MAL-2026-005998","import_time":"2026-06-12T19:43:56.650964581Z","source":"amazon-inspector","sha256":"602efd12592d5ec573f59c258af9fced8bf94f110a4c6373b20230a2d5312eb7","versions":["0.1.42"],"modified_time":"2026-06-12T19:06:58Z"},{"id":"IN-MAL-2026-006001","versions":["0.1.45"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:03Z","import_time":"2026-06-12T19:43:56.953095436Z","sha256":"ca39f00882f0c0cebcff7b48ad2b87f56dba9ca4e2a7d0b764608d46c0c24011"},{"id":"IN-MAL-2026-006004","versions":["0.1.49"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:08Z","import_time":"2026-06-12T19:43:57.307608239Z","sha256":"f6e518f1ae5305739066dbc9e1a15ed6fbde1b8785e8b92ef47fb355cff8f644"},{"id":"IN-MAL-2026-005995","sha256":"579e2a88c2e4776b660ff1f9c768ad449bc09cdcdf78d1c886937c90518cc69f","source":"amazon-inspector","versions":["0.1.29"],"modified_time":"2026-06-12T19:06:53Z","import_time":"2026-06-12T19:43:56.263596467Z"},{"id":"IN-MAL-2026-006006","versions":["0.1.51"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:12Z","import_time":"2026-06-12T19:43:57.546346512Z","sha256":"b4e45a61284456d4c47754053415e5116356606f2814099edf7a57d8bb54bb7f"},{"id":"IN-MAL-2026-006007","versions":["0.1.52"],"source":"amazon-inspector","modified_time":"2026-06-12T19:07:13Z","import_time":"2026-06-12T19:43:57.662117988Z","sha256":"de5663460e2dc8b2d9e0e54606b7fe18b4b04307dfe33e66c6f745a9fb7fde9e"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.22"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.21"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.28"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.48"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.56"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.31"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.50"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.46"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.53"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.43"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.44"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.38"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.42"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.45"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.49"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.29"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.51"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/oh-langfuse/v/0.1.52"}],"affected":[{"package":{"name":"oh-langfuse","ecosystem":"npm","purl":"pkg:npm/oh-langfuse"},"versions":["0.1.22","0.1.21","0.1.28","0.1.48","0.1.56","0.1.31","0.1.50","0.1.46","0.1.53","0.1.43","0.1.44","0.1.38","0.1.42","0.1.45","0.1.49","0.1.29","0.1.51","0.1.52"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/oh-langfuse/MAL-2026-4625.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-QjRlw9YkPteocg4hgxkNxa/V2U6ShfVt+FOuzz0t6nlkIXAC7huxhdA5ArC5lItrnYj50sWusaOZU6JZP2BlHg==","sha1":"87e661fa5b2020b192bfc5bea9c3fcb11d242762"},"filename":"oh-langfuse-0.1.22.tgz"}],"evidence_files":[{"tlsh":"48e2a44958da792107b325a89a530439fa3e47131409d546fabf43e86fb9938c2f3b7c","path":"bin/cli.js","sha256":"13d1140fde10c1b13d61c7552a2a7339896909a8ecc681f84416753bd3805a67"},{"tlsh":"e922194784ba86640bb263b4238f8425f2e512173741eaa4b7bc94e52f7413cc677eec","path":"scripts/langfuse-setup.mjs","sha256":"5343623983dc704028b93b54913a3c6f2eb3ff8d6e5545a1159f58fd4c255a1f"},{"sha256":"daf344ce7d7507763091e409942b06eb681b3ebd86e2314ca35689472b0f58d5","path":"scripts/opencode-langfuse-setup.mjs","tlsh":"bfa2c503946a09220db257215a0b447ef9fd37132241e995bbbd86dd1ff8928c1a3efd"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}