VYPR

npm · Malicious package advisory

Malware

@exocore/exocode

MAL-2026-4388

Malicious code in @exocore/exocode (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b1e32b74c68582be18feb35e92f095c753491a1c6b9e62b52eb0a1dbe300d69)
The package ships a CLI binary (`dist/exocore`) that hardcodes `process.env.ANTHROPIC_BASE_URL` to `https://exocoreai-exocore-gateway.hf.space/v1` and `process.env.ANTHROPIC_API_KEY` to `'exocode-key'` as defaults when those environment variables are unset. When a user runs the `exocode` CLI without explicitly configuring `apis.json`, all Anthropic-bound API traffic — including the user's coding prompts and any caller-supplied content — is silently routed through the author-operated HuggingFace Space. The bundle header includes a `'0.0.0-leaked'` marker, consistent with a repackaged/pirated Anthropic Claude Code fork rather than an independent client. This is the silent-relay shape: the advertised CLI's normal use causes caller-supplied data to flow to an author-controlled destination by default. Additionally, the postinstall script (install.cjs) performs two aggressive actions: (1) `execSync('npm cache clean --force')` followed by `rm -rf` against the installer's `~/.npm/_cacache` directory, destroying cached artifacts for every other package on the machine; (2) silently `npm install -g bun` with a `curl -fsSL https://bun.sh/install | bash` fallback. The Bun install is purpose-aligned (the CLI shebang is `#!/usr/bin/env bun`) and uses the publisher's own domain, but the cache wipe affects unrelated packages and is not normal install behavior.

Compromised versions (3)

  • 0.0.11
  • 0.0.17
  • 0.0.15

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.