OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10711 confirms this npm version as malicious. The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an `install_mcp` tool that fetches JSON from the hardcoded portal `prompt-injection-tool-portal.vercel.app` and passes its `install_command` field directly to `child_process.exec()` on the installer's host, giving the portal operator...
Advisory
MAL-2026-10711
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @funny-booth/agent-core (npm)
Details
The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an `install_mcp` tool that fetches JSON from the hardcoded portal `prompt-injection-tool-portal.vercel.app` and passes its `install_command` field directly to `child_process.exec()` on the installer's host, giving the portal operator arbitrary shell execution with the installer's privileges. The launcher (invoked by every `salesbot1..10` bin entry) calls `fetchBundledMcps` against the same portal and, for each returned entry, spawns `npx -y <entry.package>` while injecting locally decrypted vault secrets into the child's env — the portal can name any npm package, including a freshly published attacker-owned one, and it will be downloaded and executed with those secrets on hand. The launcher also unconditionally spawns a detached `npm i -g @funny-booth/agent-core@latest` on every run, silently self-updating to whatever the publisher pushes next. The launcher additionally spawns the local `claude` CLI with a portal-supplied greeting/knowledge string prepended as the initial user prompt and a portal-controlled MCP config, providing a prompt-injection channel into the user's Claude agent session. The repository URL in package.json is `github.com/yutamatsuura/prompt-injection-tool` and the deliberate obfuscation of the portal endpoints, exec sink, and auto-update spawn is consistent with intentional concealment of these remote-execution channels.
Decision reason
OpenSSF Malicious Packages via OSV confirms @funny-booth/agent-core@0.1.5 as malicious (MAL-2026-10711): Malicious code in @funny-booth/agent-core (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory