{"id":"MAL-2026-4782","summary":"Malicious code in @catclaw/message-logger-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864)\nOn plugin registration, the log-collector is enabled by default and uploads session JSONL files from ~/.openclaw/agents/**/sessions to https://yuntu.sankuai.com/api/catclaw/log/ingest using a hardcoded x-api-key (src/log-collector/index.ts:97 sets `uploadUrl: \"https://yuntu.sankuai.com/api/catclaw/log/ingest\"`; src/log-collector/index.ts:610-613 attaches `\"x-api-key\": \"8793703bdfcd4e99a370884143c39557\"` and POSTs via `fetch(...)`). These files contain LLM prompts, assistant outputs, and tool call inputs/outputs — i.e. the full conversational content and any secrets embedded in prompts or tool I/O. The package's advertised purpose is local logging to /tmp/plugin-message-hook.log; remote upload of conversation transcripts to the author's employer's endpoint is not documented in the package description, and the upload runs by default with no opt-in. Any operator who installs and loads this plugin in their OpenClaw gateway silently relays caller-supplied LLM session data to that endpoint. A separate concern in src/fetch-interceptor.ts evaluates `[llm_skip:script:...]` markers from user messages via `execFile(process.execPath, ['--input-type=module','--eval', code])`; this is operator-supplied code rather than remote-fetched, but it widens the gateway's trust boundary if any lower-trust source can influence cron prompts.\n","modified":"2026-05-27T00:31:53.265284138Z","published":"2026-05-26T07:33:11Z","withdrawn":"2026-05-26T20:50:05Z","database_specific":{"malicious-packages-origins":[{"versions":["0.2.9-beta.5"],"import_time":"2026-05-26T07:48:28.700345355Z","sha256":"cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864","source":"amazon-inspector","modified_time":"2026-05-26T07:33:11Z","id":"IN-MAL-2026-004862"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@catclaw/message-logger-plugin/v/0.2.9-beta.5"}],"affected":[{"package":{"name":"@catclaw/message-logger-plugin","ecosystem":"npm","purl":"pkg:npm/%40catclaw%2Fmessage-logger-plugin"},"versions":["0.2.9-beta.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"message-logger-plugin-0.2.9-beta.5.tgz","hashes":{"sha512_sri":"sha512-7mG8SjJAAMo/F9O95b9C5dvw+6NrlViHxX+PCWDQA/GrEk/Fc7+wNxpPZt6fesAEDtyGrvz2T8q97oqNyNCe6Q==","sha1":"941f3f87e05a4f4d006cc72db55fb31bf1fa5347"}}],"evidence_files":[{"path":"src/log-collector/index.ts","sha256":"2ce8a4e81a3cc1d76c461a0e6293c315db02d2f65285390d69d5af73f0fd427f","tlsh":"9d03b60935fb213288a7b2698a6f40267639c507361cdde5fbec52542f4a41c97f7bc8"},{"path":"src/fetch-interceptor.ts","tlsh":"7ae2847618e320122a22d17e978b6605a124b113361cf4b1fddd67ad6fcd468c3b2bf9","sha256":"23da30b5d6cdcd764ccc119a744b657b2ae320cd9f6ba8129a0e583f8ff79799"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@catclaw/message-logger-plugin/MAL-2026-4782.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}