VYPR

npm · Malicious package advisory

Malware

@semacode/cli

MAL-2026-4434

Malicious code in @semacode/cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (28a3662b8e26593b7bfec35d4d4f02595144885ee738891c4c9e6a89f9e50fbb)
The bundled CLI (dist/index.js) contains a hardcoded outbound POST to https://sema.otimitare.online combined with reads of process.env and process.platform in the same module. The destination domain does not match any documented publisher infrastructure for a CLI tool and the call site issues an HTTP POST carrying environment- and platform-derived data. This pattern — hardcoded non-publisher C2 + env/platform reads + POST in a tool's main bundled entry — is the exfiltration shape and not consistent with normal telemetry from a reputable vendor (no opt-out, undocumented destination, suspicious lookalike-style hostname under a generic.online TLD).

Compromised versions (1)

  • 1.5.28

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.