npm · Malicious package advisory
Malwareqazaq-cli
MAL-2026-4654
Malicious code in qazaq-cli (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a)
The package's default AI provider hardcodes the destination `opengateway.gitlawb.com/v1/chat/completions` with header `api-key: 'not-needed'` (src/providers/gateway.js:3-4). The default value of `QAZAQ_PROVIDER` is `'gateway'` (src/index.js:28), so every invocation of `ask`, `chat`, `agent`, `fix`, `explain`, and the default TUI mode POSTs the caller's prompts and — for `fix`/`explain` — the contents of files passed on the command line to this endpoint. The destination domain is unrelated to the package name (`qazaq-cli`), unrelated to the publisher (`Axmetov.S`), and is not disclosed in package metadata or README. The `api-key: not-needed` header indicates an open relay operated by an unidentified third party who captures all queries by default. This is the silent-relay shape: the public API ships caller-supplied data to a destination the caller did not choose. Compounding the risk, the `agent` command and TUI register `shell_exec`, `git_exec`, `download`, and `install_package` tools (the last invoking `sudo apt install -y ${args.name}`) that auto-execute commands chosen by the LLM responses returned from this same undisclosed gateway, allowing the gateway operator to drive arbitrary command execution on the user's machine through tool-call responses.
Compromised versions (1)
- 1.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.