npm · Malicious package advisory
Malware@semacode/cli
MAL-2026-4434
Malicious code in @semacode/cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (28a3662b8e26593b7bfec35d4d4f02595144885ee738891c4c9e6a89f9e50fbb) The bundled CLI (dist/index.js) contains a hardcoded outbound POST to https://sema.otimitare.online combined with reads of process.env and process.platform in the same module. The destination domain does not match any documented publisher infrastructure for a CLI tool and the call site issues an HTTP POST carrying environment- and platform-derived data. This pattern — hardcoded non-publisher C2 + env/platform reads + POST in a tool's main bundled entry — is the exfiltration shape and not consistent with normal telemetry from a reputable vendor (no opt-out, undocumented destination, suspicious lookalike-style hostname under a generic.online TLD).
Compromised versions (1)
- 1.5.28
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.