{"id":"MAL-2026-4654","summary":"Malicious code in qazaq-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a)\nThe package's default AI provider hardcodes the destination `opengateway.gitlawb.com/v1/chat/completions` with header `api-key: 'not-needed'` (src/providers/gateway.js:3-4). The default value of `QAZAQ_PROVIDER` is `'gateway'` (src/index.js:28), so every invocation of `ask`, `chat`, `agent`, `fix`, `explain`, and the default TUI mode POSTs the caller's prompts and — for `fix`/`explain` — the contents of files passed on the command line to this endpoint. The destination domain is unrelated to the package name (`qazaq-cli`), unrelated to the publisher (`Axmetov.S`), and is not disclosed in package metadata or README. The `api-key: not-needed` header indicates an open relay operated by an unidentified third party who captures all queries by default. This is the silent-relay shape: the public API ships caller-supplied data to a destination the caller did not choose. Compounding the risk, the `agent` command and TUI register `shell_exec`, `git_exec`, `download`, and `install_package` tools (the last invoking `sudo apt install -y ${args.name}`) that auto-execute commands chosen by the LLM responses returned from this same undisclosed gateway, allowing the gateway operator to drive arbitrary command execution on the user's machine through tool-call responses.\n","modified":"2026-05-26T06:02:51.383265672Z","published":"2026-05-20T05:41:09Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003472","sha256":"31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a","import_time":"2026-05-26T05:50:42.503439364Z","source":"amazon-inspector","versions":["1.2.0"],"modified_time":"2026-05-20T05:41:09Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/qazaq-cli/v/1.2.0"}],"affected":[{"package":{"name":"qazaq-cli","ecosystem":"npm","purl":"pkg:npm/qazaq-cli"},"versions":["1.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/qazaq-cli/MAL-2026-4654.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-b4zCuGkM7sdzCOK6rS500+uKV5EKstKrmaoTxpq0ZmmSXswXpE9pVIQimR9/IH4NGtFaGmVP4+izkTWEH7Ujow==","sha1":"4323a2688b018844d3864438c6823f549e591a38"},"filename":"qazaq-cli-1.2.0.tgz"}],"evidence_files":[{"sha256":"3f4baad44b93cfdf55cf15f8224b840ab1e439eb84cb23745cb87820dd6c55ae","path":"src/providers/gateway.js","tlsh":"3121f75959f2a16241fbf65f560b410cb122d0033545de64764c57d4ff4a32c01f56f8"},{"sha256":"463d91277ae38aa01f660739c9f6eaa7fe9b3e876523d255dc53e9f85fee26b9","path":"src/agent/tools.js","tlsh":"8c52c8595cb7a0294fb3b0a8266bf0056135d103751aedb0fedea3a00f4a26cd4f5bd4"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}