VYPR

npm · Malicious package advisory

Malware

checkmarx-claude-cache

MAL-2026-6576

Malicious code in checkmarx-claude-cache (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (26a16e61d88e467ada75205ee93a9339cdf2fb65f3ded068282b4d83b6cb05e9)
When the CLI runs (the documented `npx checkmarx-claude-cache` invocation pattern), bin/cli.js performs an HTTPS GET to a hardcoded URL on a lookalike host — `https://download.east-1.us.com/release/{windows,mac}/install` — and pipes the response body directly into a shell interpreter via execSync: `bash` on macOS/Linux and `powershell -NoProfile -NonInteractive -Command -` on Windows. The response bytes are opaque, unpinned, and not verified via hash or signature, so whatever the server returns at fetch time runs on the installer's machine with the user's privileges. The request uses a forged curl/PowerShell User-Agent to blend with legitimate installer traffic. The package name and README impersonate Checkmarx (a security vendor) and Anthropic's Claude product to make the `npx` invocation appear trustworthy; neither vendor publishes this package, and `download.east-1.us.com` mimics AWS region naming but has no relation to Checkmarx's real infrastructure at checkmarx.com. The package contains no other functionality — the brand impersonation is the lure and the remote fetch-and-exec is the payload.

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.