{"id":"MAL-2026-6256","summary":"Malicious code in @withgoogle/stitch-sdk (npm)","details":"@withgoogle/stitch-sdk is a scope-squatting package on npm that impersonates Google's Stitch AI design tool SDK. The attacker registered the @withgoogle scope to mimic Google's withgoogle.com domain and published versions 0.1.1 and 0.1.2 under the account maximus-mcmillan on June 19, 2026. The package runs a credential harvester from a preinstall hook (scripts/preinstall.js) and an identical CLI binary (bin/cli.js). On install it scrapes email addresses and credentials from Claude Code authentication, git config, ~/.git-credentials, ~/.ssh/*.pub, the GitHub CLI, ~/.npmrc, and ~/.docker/config.json, then exfiltrates them to https://stitch-production.org/api/v1 over HTTPS with TLS verification disabled (rejectUnauthorized: false). The code is unobfuscated and relies on the trust of the @withgoogle scope name.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ffe3e7f674ed72b1e7f4cc8f75f8040e8e2efd91c98f3b0484dfdc7fe5347279)\nPackage is published under the @withgoogle npm scope but the package.json author is 'Maximus McMillan' with repository github.com/maximus-mcmillan/stitch-sdk — there is no Google affiliation. scripts/preinstall.js runs automatically on `npm install` and enumerates installer-side identity and credential sources: git config user.email (--global/--system), ~/.gitconfig, ~/.config/git/config, ~/.git-credentials (which stores plaintext https://user:token@host entries), ~/.ssh/*.pub, `gh api user`, `claude auth status`, `npm config get email`, ~/.npmrc (npm auth tokens), and ~/.docker/config.json (registry auth). The harvested values are HTTP-GET'd to https://stitch-production.org/api/v1?src=...&user=... with TLS verification explicitly disabled (rejectUnauthorized:false at scripts/preinstall.js:46) to ensure delivery. The hardcoded C2 base URL is at scripts/preinstall.js:26 (`const STITCH_SERVER_BASE = 'https://stitch-production.org/api/v1'`). The combination of @withgoogle scope impersonation, preinstall lifecycle execution, enumeration of canonical credential-file paths, and exfiltration to an attacker-controlled host with TLS verification disabled is a deliberate supply-chain attack against any developer or build system that installs this package.\n","modified":"2026-06-23T21:01:22.456824637Z","published":"2026-06-20T12:00:00Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-23T20:36:59Z","versions":["0.1.5"],"import_time":"2026-06-23T20:48:31.28226437Z","id":"IN-MAL-2026-007362","source":"amazon-inspector","sha256":"b2169f45b1bccbdfa6770f0df01b247787d466438732a9e99da41b721c71a940"},{"import_time":"2026-06-23T20:48:31.387547554Z","versions":["0.1.4"],"modified_time":"2026-06-23T20:37:03Z","id":"IN-MAL-2026-007363","source":"amazon-inspector","sha256":"bab8846780175f96cb03d7e9026fe9377429830762509860ce735f4623ee9fc0"},{"source":"amazon-inspector","versions":["0.1.1"],"modified_time":"2026-06-23T20:37:04Z","id":"IN-MAL-2026-007365","import_time":"2026-06-23T20:48:31.612440061Z","sha256":"d8050a859b7a3791ed5cb4cbcbbc5f280c75c69c916a69307c0f57e12a5f20c0"},{"modified_time":"2026-06-23T20:37:09Z","versions":["0.1.3"],"import_time":"2026-06-23T20:48:31.712517014Z","id":"IN-MAL-2026-007366","source":"amazon-inspector","sha256":"ffe3e7f674ed72b1e7f4cc8f75f8040e8e2efd91c98f3b0484dfdc7fe5347279"},{"modified_time":"2026-06-23T20:37:03Z","versions":["0.1.2"],"import_time":"2026-06-23T20:48:31.471162308Z","id":"IN-MAL-2026-007364","source":"amazon-inspector","sha256":"6edcc9c4a60feb2f1f4a7fbc6f461202aeab3b9dc167d746d8770bcfa6ed202a"}]},"references":[{"type":"REPORT","url":"https://safedep.io/withgoogle-stitch-sdk-scope-squat-credential-harvester/"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@withgoogle/stitch-sdk/v/0.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@withgoogle/stitch-sdk/v/0.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@withgoogle/stitch-sdk/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@withgoogle/stitch-sdk/v/0.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@withgoogle/stitch-sdk/v/0.1.2"}],"affected":[{"package":{"name":"@withgoogle/stitch-sdk","ecosystem":"npm","purl":"pkg:npm/%40withgoogle%2Fstitch-sdk"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["0.1.5","0.1.4","0.1.1","0.1.3","0.1.2"],"database_specific":{"indicators":{"evidence_files":[{"path":"scripts/preinstall.js","sha256":"964edea555e5c959d4705dbbc8f9d845254ffffe98346f3e8b2eaf21f8d95190","tlsh":"33d132b70aeb233430d6e8ad874f5136626bf0237605d590b85db2589fcd03856e1afe"},{"path":"package.json","sha256":"c044f05e25cdc26ea7f0096cbcd8985c208805aaa55284ee93b197fe5b027263","tlsh":"68112932cf385c7317cc27a26c394291fa51984b4934fc1972e7519c8b8d26b16be5ac"},{"path":"bin/cli.js","sha256":"1cee955bd92fb57e8951e8ec82f92751d1d0e3a49b9131f8b723c138de35b178","tlsh":"72f1847b19ab233431d6e5ad834f8132b27af0177205d190b86db3885fcd0385692afa"}],"package_integrity":[{"hashes":{"sha1":"b61a062df2b83eb3368da1792fc9b6719f28654a","sha512_sri":"sha512-2VqODian6kN59wE0D1rKFolIfpk7KJmO/3qjM2ZrHmXGQMZrrrfrsrLQWRoFLfzXQtcQcSLWHkvHV/D2qz5OPQ=="},"filename":"stitch-sdk-0.1.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@withgoogle/stitch-sdk/MAL-2026-6256.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}