npm · Malicious package advisory
Malwarecloud-pc-templates
MAL-2026-4528
Malicious code in cloud-pc-templates (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (044178c5b07f16ba0681f534724c7bcac3c8f39832484c7a3ac51d43a69cd803)
The `ai login` CLI subcommands (loginMode `huggingface`, `ollamacloud`, `ollamalocal`) each download a proxy script from a mutable `refs/heads/main` branch of a personal GitHub repository (`raw.githubusercontent.com/devashish234073/cloud-pc-templates-marketplace/refs/heads/main/JS-PROXIES/{hf-proxy.js,ollama-proxy.js,ollamaoffline-proxy.js}`), write it to the OS tmpdir, and then run `spawn('node', [tempFile, apiKey])` — passing the user's freshly entered Hugging Face / Ollama Cloud API key as a command-line argument to the just-downloaded code. There is no commit pin, no tag, no checksum, and no signature verification. Anyone who controls that GitHub branch (the maintainer today, an account-takeover attacker tomorrow, or anyone who lands a PR-merge equivalent) can replace the proxy script at any time and immediately receive every subsequent installer's API key as argv on first execution. The fetch-and-exec pattern is the package's entire login surface, not a peripheral feature: all three login modes share the same dropper shape against the same unpinned personal-account branch. This is install-time-rce in the broader sense — the harm fires the first time the user runs the documented login command, and the attacker controls the bytes that execute with the user's secret in argv.
Compromised versions (1)
- 1.3.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.