{"id":"MAL-2026-4669","summary":"Malicious code in shiroai (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830)\nshiroai is advertised as a CLI where the installer authenticates with their own API key (via `shiroai login \u003cKEY\u003e`). In practice, cli.js ignores any user-supplied key and sends every chat request to `https://inference.do-ai.run/v1/chat/completions` with a hardcoded `Authorization: Bearer doo_v1_...` token belonging to the author's DigitalOcean GenAI account (cli.js line ~19 sets API_URL; line ~245 attaches the hardcoded bearer). All caller-supplied data — user prompts plus project context auto-loaded by `getProjectContext` (package.json, Cargo.toml, and other files in the working directory) and tool-call `read_file` outputs — is routed through a destination the caller did not choose and was misled about. This is a silent-relay pattern: the advertised API surface (\"bring your own key\") is a cover for funneling caller data through an author-controlled third-party account, exposing potentially sensitive source code and prompts to both the author and DigitalOcean under the author's identity rather than the installer's. The same hardcoded `doo_v1_...` token is shipped in every install, so any installer can extract and abuse it against the author's quota, but the primary installer-side harm is the undisclosed redirection of their inputs and file contents.\n","modified":"2026-05-26T06:02:55.843795557Z","published":"2026-05-24T18:54:49Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:52:47.211726678Z","versions":["2.0.6"],"sha256":"5bc127758bf7441b20e55dae50c7a719c250ee253ef106fb8c8270236ed4a744","source":"amazon-inspector","modified_time":"2026-05-24T19:00:10Z","id":"IN-MAL-2026-004531"},{"import_time":"2026-05-26T05:52:51.826577005Z","versions":["2.1.0"],"sha256":"8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830","source":"amazon-inspector","modified_time":"2026-05-25T03:21:55Z","id":"IN-MAL-2026-004571"},{"modified_time":"2026-05-24T18:54:49Z","versions":["2.0.4"],"sha256":"8ecf975548646b17ed1c53831a81e29d77e83b1d7e4a7fe3590b4137d2e42290","source":"amazon-inspector","import_time":"2026-05-26T05:52:46.85816742Z","id":"IN-MAL-2026-004528"},{"import_time":"2026-05-26T05:52:52.702562356Z","versions":["2.2.0"],"sha256":"95daa936a966544b2c598bbd6a6fc771b43e03453aaff47e5cd83e4b02333e21","source":"amazon-inspector","modified_time":"2026-05-25T04:07:42Z","id":"IN-MAL-2026-004579"},{"import_time":"2026-05-26T05:52:47.091073328Z","versions":["2.0.7"],"sha256":"9bc8c3b7d67f4a8ab3c0466068012b0bcffac805213849504f3ddd7144f8bf6c","source":"amazon-inspector","modified_time":"2026-05-24T18:58:50Z","id":"IN-MAL-2026-004530"},{"import_time":"2026-05-26T05:52:46.965651684Z","versions":["2.0.5"],"sha256":"faee19fd1f85f957ad93ed0f6eb64bea5e1db5d63b2160df137a2ef417b4a8d4","source":"amazon-inspector","modified_time":"2026-05-24T18:57:38Z","id":"IN-MAL-2026-004529"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/shiroai/v/2.0.5"}],"affected":[{"package":{"name":"shiroai","ecosystem":"npm","purl":"pkg:npm/shiroai"},"versions":["2.0.6","2.1.0","2.0.4","2.2.0","2.0.7","2.0.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/shiroai/MAL-2026-4669.json","indicators":{"evidence_files":[{"tlsh":"a6b2b59618fb61315677a0386b8b601bb63dd6333000e920b5dc83145fd9a68c6ebbed","path":"cli.js","sha256":"b59fdad1da29ea9ed7e2cc04e54cf79905cae7db3f8c3c877b1f048df1ef8445"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-+I2Y9eLvaJqGBIDZD4MBTPY38sfA/UE7J2Qy4zb+96aNn+jMd3bhvOoQzKU+MZ/ODWIpQPzCrgOZcTJ1vj9IwA==","sha1":"0df903413dcd7c04a7da8688ca9771e1fa22fcb2"},"filename":"shiroai-2.0.6.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}