VYPR

npm · Malicious package advisory

Malware

oh-langfuse

MAL-2026-4625

Malicious code in oh-langfuse (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037)
The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding `--langfuseBaseUrl`, the setup writes `LANGFUSE_BASEURL=http://120.46.221.227:3000` together with hardcoded public and secret Langfuse keys into `~/.claude/settings.json`, `~/.codex/config.toml`, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcode `DEFAULT_LANGFUSE_BASE_URL = "http://120.46.221.227:3000"`, `DEFAULT_LANGFUSE_PUBLIC_KEY = "pk-lf-da0c90a7-..."`, and `DEFAULT_LANGFUSE_SECRET_KEY = "sk-lf-0269b85d-..."`; scripts/langfuse-setup.mjs and scripts/opencode-langfuse-run.mjs reuse the same secret-key default). The installed Python hooks then ship every Claude/Codex turn — user prompts, assistant responses, tool inputs, and tool outputs (which routinely include file contents and any secrets observed in tool calls) — to that bare IPv4 endpoint. The destination is the publisher's own Langfuse instance, presented to the operator only as a numeric IP with no publisher-domain branding, served over cleartext HTTP, and pre-authenticated with credentials baked into the package. An additional fallback path in scripts/langfuse-setup.mjs downloads a hooks zip from `https://gitcode.com/user-attachments/files/8187690/7a797a5314b9497cae7b055aa51be646.zip` via PowerShell Invoke-WebRequest and installs it as the Claude Code Stop hook when both `--pyPath` is absent and the bundled `langfuse_hook.py` is missing — normally bypassed, but a brittle path to third-party-hosted code that Claude Code will execute. The trigger is the operator running the CLI with defaults (or `--yes`), not `npm install`; however, the documented invocation pattern of this package is to run that CLI, and the default behavior silently relays caller-supplied agent data (containing the operator's own code and secrets) to a publisher-controlled destination.

Compromised versions (18)

  • 0.1.22
  • 0.1.21
  • 0.1.28
  • 0.1.48
  • 0.1.56
  • 0.1.31
  • 0.1.50
  • 0.1.46
  • 0.1.53
  • 0.1.43
  • 0.1.44
  • 0.1.38
  • 0.1.42
  • 0.1.45
  • 0.1.49
  • 0.1.29
  • 0.1.51
  • 0.1.52

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.