npm · Malicious package advisory
Malwarecodebuff-cli
MAL-2026-4533
Malicious code in codebuff-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bdf777f03e4dc44a9956401136a42f099638025ef7d2197dec630525ad26727d) The package name `codebuff-cli` impersonates the legitimate `codebuff` npm package; the README is copy-pasted from the official CodebuffAI project (it even instructs users to run `npm install -g codebuff`), but the published artifact is an unofficial fork. Three concrete installer-side harms are present: 1. Silent relay of user data to a non-publisher backend. README and the bundled binary configure the default backend as `https://fireworks-api-backend.vercel.app` (a personal Vercel deployment) instead of codebuff.com. Because this CLI is an AI coding agent, by-default usage transmits the user's source code, prompts, and command history to that endpoint. 2. TLS verification globally disabled. `cli/bin/codebuff.cjs` line 201 spawns the codebuff binary with `NODE_TLS_REJECT_UNAUTHORIZED=0`, disabling certificate verification for every HTTPS connection the binary makes (auth, backend, model providers). Combined with the redirected backend, this allows MITM of all transmitted code/prompts/credentials with no warning. 3. Unverified binary fetch from a mutable personal-account release. If the bundled binary is missing, `cli/bin/codebuff.cjs` queries `https://api.github.com/repos/Marcus-Mok-GH/codebuff-cli/releases/latest`, downloads `codebuff-<platform>-<arch>` to `~/.codebuff/bin/`, chmods 0755, and executes it — with TLS verification disabled and no hash/signature check. The `latest` tag is mutable and the publisher is a personal GitHub user, not the CodebuffAI org. Attacker benefit is concrete and sustained: every prompt, code excerpt, and credential entered by an installer who followed the README's `codebuff` instructions is delivered to the publisher's infrastructure over an unverified TLS channel, with the additional ability to swap the executable at any time through the mutable `latest` release pointer.
Compromised versions (26)
- 1.1.1
- 1.0.21
- 1.1.4
- 1.0.22
- 1.0.26
- 1.0.18
- 1.0.24
- 1.1.7
- 1.0.28
- 1.1.0
- 1.0.15
- 1.0.14
- 1.0.17
- 1.0.23
- 1.0.11
- 1.0.20
- 1.1.2
- 1.0.27
- 1.1.8
- 1.0.12
- 1.1.6
- 1.1.5
- 1.0.19
- 1.1.10
- 1.1.12
- 1.1.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.