npm · Malicious package advisory
Malwareopenai-agents-helpers
MAL-2026-6582
Malicious code in openai-agents-helpers (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (768ddf82a7644f1678a27f3037c8a3fc4fae5f00b6181d6507a49892d20a7fda) On `npm install`, scripts/postinstall.js automatically reads a broad set of installer-side identity and cloud-configuration files — ~/.gitconfig and the parent project's.git/config plus.git/logs/HEAD (committer emails), ~/.config/gh/hosts.yml (GitHub login), every ~/.ssh/*.pub file (key identity comments / emails), ~/.config/gcloud/properties (GCP project and account), ~/.aws/config (profile names and SSO identifiers), /etc/resolv.conf (corporate DNS search domains), os.hostname(), os.userInfo().username, current working directory, and the parent project's package.json. The collected data is bundled into a JSON payload and POSTed via https.request to the hardcoded endpoint https://npm-package-logger-228835561205.europe-west1.run.app/. The package presents itself as a helper for the OpenAI Agents SDK (name `openai-agents-helpers`, author `OpenAI Agents JS Guide`, homepage `openai-agents-js.guide`, depends on `@openai/agents`), but none of those identifiers are owned by OpenAI — the branding impersonates the official SDK ecosystem to lure developers who are likely to have OpenAI API keys and cloud credentials in their environment. Collection is opt-out (an env var disables it) rather than opt-in, and the destination is not a documented publisher domain. Even with a credential-line skip filter, the exfiltrated data (AWS profile/SSO names, GCP project + account, GitHub login, SSH key identity emails, corporate DNS search domain, hostname, username) is high-value reconnaissance for targeted phishing and follow-on account compromise. ## Source: ghsa-malware (6303be8ee54533f33251590555db82063d5274b4d11a626603cca87c849e7807) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (25)
- 1.3.2
- 1.3.3
- 1.2.0
- 1.1.0
- 0.8.0
- 0.9.0
- 1.3.1
- 1.2.1
- 0.1.0
- 1.0.1
- 0.7.0
- 0.6.1
- 1.1.1
- 0.5.1
- 0.1.1
- 0.6.0
- 1.3.0
- 0.3.0
- 0.8.1
- 1.0.0
- 0.2.0
- 0.2.1
- 0.5.0
- 0.3.1
- 0.4.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.