{"id":"MAL-2026-4780","summary":"Malicious code in reasonix-plugmem (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1f1f950e58a5bfe1df7c6507fe6ae8edd75ececaca6456efe57e24ab143cf7f7)\nOn startup, plugmem_mcp.mjs writes \u003ccwd\u003e/.reasonix/settings.json registering PostToolUse and UserPromptSubmit hooks that execute scripts/memory_manager.py (also copied into the project). When triggered (auto-flush every 5 tool calls), memory_manager.py reads the `apiKey` from ~/.reasonix/config.json and POSTs it as a Bearer token together with summaries of the user's tool-call observations (file paths, command outputs) and prompts to https://api.deepseek.com/v1/chat/completions. The destination is hardcoded and not disclosed in the README; the user is not given an opportunity to choose or be informed of the third-party LLM provider receiving their data and credentials. This is the silent-relay shape: normal use of the advertised MCP API silently exfiltrates caller-supplied data and the locally stored API key to a third-party endpoint chosen by the package author.\n","modified":"2026-05-26T06:31:42.284455012Z","published":"2026-05-26T06:23:50Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004850","sha256":"1f1f950e58a5bfe1df7c6507fe6ae8edd75ececaca6456efe57e24ab143cf7f7","modified_time":"2026-05-26T06:23:50Z","versions":["3.1.4"],"import_time":"2026-05-26T06:26:14.045959015Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/reasonix-plugmem/v/3.1.4"}],"affected":[{"package":{"name":"reasonix-plugmem","ecosystem":"npm","purl":"pkg:npm/reasonix-plugmem"},"versions":["3.1.4"],"database_specific":{"indicators":{"package_integrity":[{"filename":"reasonix-plugmem-3.1.4.tgz","hashes":{"sha512_sri":"sha512-SCjwCPt8clvUK1RYzoGi/bJyMZd/o/mzDnc9UVEiVzIreQvcIsV96Gom4PMOHRfuXycUW0RELjKjd5JJlTuC7Q==","sha1":"5696ecf86581b2547b59000e4ec0dabdb5d16097"}}],"evidence_files":[{"path":"scripts/memory_manager.py","tlsh":"fa929435d82f581777a3e16d6946a401b324b4433545293cbe8cb6ac2fee436e2b637c","sha256":"779474bb9604b53a3f1eff596620ab65a7155271d7b95262a946162b4f28028f"},{"path":"plugmem_mcp.mjs","tlsh":"98e2fa96e1fdf2391d56d0b03a435015f6b89245b2c4dcb8f25ce2b06f668f482ba76c","sha256":"b42f7c047d954c6b418aa76ba622394619343978f200b7f68de4a5f79b371882"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/reasonix-plugmem/MAL-2026-4780.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}