VYPR

npm · Malicious package advisory

Malware

codebuff-cli

MAL-2026-4533

Malicious code in codebuff-cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bdf777f03e4dc44a9956401136a42f099638025ef7d2197dec630525ad26727d)
The package name `codebuff-cli` impersonates the legitimate `codebuff` npm package; the README is copy-pasted from the official CodebuffAI project (it even instructs users to run `npm install -g codebuff`), but the published artifact is an unofficial fork. Three concrete installer-side harms are present:

1. Silent relay of user data to a non-publisher backend. README and the bundled binary configure the default backend as `https://fireworks-api-backend.vercel.app` (a personal Vercel deployment) instead of codebuff.com. Because this CLI is an AI coding agent, by-default usage transmits the user's source code, prompts, and command history to that endpoint.
2. TLS verification globally disabled. `cli/bin/codebuff.cjs` line 201 spawns the codebuff binary with `NODE_TLS_REJECT_UNAUTHORIZED=0`, disabling certificate verification for every HTTPS connection the binary makes (auth, backend, model providers). Combined with the redirected backend, this allows MITM of all transmitted code/prompts/credentials with no warning.
3. Unverified binary fetch from a mutable personal-account release. If the bundled binary is missing, `cli/bin/codebuff.cjs` queries `https://api.github.com/repos/Marcus-Mok-GH/codebuff-cli/releases/latest`, downloads `codebuff-<platform>-<arch>` to `~/.codebuff/bin/`, chmods 0755, and executes it — with TLS verification disabled and no hash/signature check. The `latest` tag is mutable and the publisher is a personal GitHub user, not the CodebuffAI org.

Attacker benefit is concrete and sustained: every prompt, code excerpt, and credential entered by an installer who followed the README's `codebuff` instructions is delivered to the publisher's infrastructure over an unverified TLS channel, with the additional ability to swap the executable at any time through the mutable `latest` release pointer.

Compromised versions (26)

  • 1.1.1
  • 1.0.21
  • 1.1.4
  • 1.0.22
  • 1.0.26
  • 1.0.18
  • 1.0.24
  • 1.1.7
  • 1.0.28
  • 1.1.0
  • 1.0.15
  • 1.0.14
  • 1.0.17
  • 1.0.23
  • 1.0.11
  • 1.0.20
  • 1.1.2
  • 1.0.27
  • 1.1.8
  • 1.0.12
  • 1.1.6
  • 1.1.5
  • 1.0.19
  • 1.1.10
  • 1.1.12
  • 1.1.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.