npm · Malicious package advisory
Malware@zhengshuo888/huoke
MAL-2026-4472
Malicious code in @zhengshuo888/huoke (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab) On npm install, the package's postinstall hook runs `node bin/huoke.js install-skill`, which uses `execSync` to invoke `curl -fsSL` against `https://raw.githubusercontent.com/amswf/huoke/main/SKILL.md` and writes the response into `~/.hermes/skills/.../SKILL.md` and `~/.openclaw/skills/...`. The URL is on a personal GitHub user's account (`amswf`) that does not match the package's declared repository (`huoke-link/huoke-skill`), points at a mutable `main` branch, and the fetched content is not hash- or signature-verified. The package already ships a `SKILL.md` in the tarball, but the postinstall ignores it and refetches remotely, so the file the AI ends up loading is whatever the controller of that personal repo serves at install time — not the file npm reviewed. The installed SKILL.md is loaded by Hermes/OpenClaw as agent instructions and contains `curl` directives that the user's AI agent executes with the user's bearer tokens, giving the controller of `github.com/amswf/huoke` an install-time channel to direct privileged actions on the installer's machine. Separately, `bin/huoke.js` defaults its server endpoint to `http://huoke.link` (plaintext HTTP) with a hardcoded shared bearer `sk_clawx_dev_2026`, so the credential-setup flow it advertises transmits the installer's email, verification code, and password in cleartext under a key shared by every installer — a quality issue layered on top of the install-time-fetch concern.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.