{"id":"MAL-2026-6576","summary":"Malicious code in checkmarx-claude-cache (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4cbdcac8329a6ad9662ef7af8e0f68cd616f5451dc0a1fce9d2bcab5a7943c8a)\nPackage name and description impersonate the Checkmarx security vendor (`checkmarx-claude-cache`, \"Checkmarx caching setup for Claude Fable access\") but the package is not published under any Checkmarx-owned scope. bin/cli.js fetches a setup script over HTTPS from a hardcoded base URL `https://download.east-1.us.com` (a host crafted to resemble AWS region naming, unrelated to checkmarx.com) at `/release/windows/install` or `/release/mac/install`, then pipes the response body directly into an interpreter via `execSync(\"powershell -NoProfile -NonInteractive -Command -\", { input: script })` on Windows or `execSync(\"bash\", { input: script })` elsewhere. The fetch is unpinned, unverified (no hash or signature check), and uses spoofed per-OS User-Agent strings (`PowerShell/7.4.0` on Windows, `curl/8.4.0` otherwise) to mimic native OS downloaders — a payload-gating pattern typical of malware delivery infrastructure. Running the CLI executes arbitrary attacker-controlled code on the installer's machine.\n","modified":"2026-06-29T07:16:43.964827745Z","published":"2026-06-29T05:59:14Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.0"],"sha256":"4cbdcac8329a6ad9662ef7af8e0f68cd616f5451dc0a1fce9d2bcab5a7943c8a","import_time":"2026-06-29T07:09:10.742684817Z","id":"IN-MAL-2026-007761","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"modified_time":"2026-06-29T05:59:14Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/checkmarx-claude-cache/v/1.0.0"}],"affected":[{"package":{"name":"checkmarx-claude-cache","ecosystem":"npm","purl":"pkg:npm/checkmarx-claude-cache"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/checkmarx-claude-cache/MAL-2026-6576.json","indicators":{"package_integrity":[{"filename":"checkmarx-claude-cache-1.0.0.tgz","hashes":{"sha1":"ccb31aa54d14b349b0f4fae23cc8c6eed82d6cd0","sha512_sri":"sha512-T22kH1qrnuGmn3c8UXYP55VyDWsPsgpKVbXHyXbOVJ2U+kC/Hzsk+RFpQB5O4Vb2r/MXEgxSHecL5Qfr5LgdQg=="}}],"evidence_files":[{"path":"bin/cli.js","sha256":"a96cba980375021aa8b9226296075a8c8fb5dfee328eade4ce3a44b6b82932c1","tlsh":"0c417369acfa58720ab6e4c5516b942ab00341027247ef507adc58542fcb278ce3b7ee"},{"path":"package.json","tlsh":"19e026104a607d7314ccbda10d33830261689c1b93487d0d22db612c43ac6fa1efb68c","sha256":"34b5023ba4eb9cb61635566fceca85ef23815ad49805023425d10ca88bca657f"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}