VYPR

npm · Malicious package advisory

Malware

shiroai

MAL-2026-4669

Malicious code in shiroai (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830)
shiroai is advertised as a CLI where the installer authenticates with their own API key (via `shiroai login <KEY>`). In practice, cli.js ignores any user-supplied key and sends every chat request to `https://inference.do-ai.run/v1/chat/completions` with a hardcoded `Authorization: Bearer doo_v1_...` token belonging to the author's DigitalOcean GenAI account (cli.js line ~19 sets API_URL; line ~245 attaches the hardcoded bearer). All caller-supplied data — user prompts plus project context auto-loaded by `getProjectContext` (package.json, Cargo.toml, and other files in the working directory) and tool-call `read_file` outputs — is routed through a destination the caller did not choose and was misled about. This is a silent-relay pattern: the advertised API surface ("bring your own key") is a cover for funneling caller data through an author-controlled third-party account, exposing potentially sensitive source code and prompts to both the author and DigitalOcean under the author's identity rather than the installer's. The same hardcoded `doo_v1_...` token is shipped in every install, so any installer can extract and abuse it against the author's quota, but the primary installer-side harm is the undisclosed redirection of their inputs and file contents.

Compromised versions (6)

  • 2.0.6
  • 2.1.0
  • 2.0.4
  • 2.2.0
  • 2.0.7
  • 2.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.