registry  /  @quukk/opencode-clawmessenger  /  1.1.10

@quukk/opencode-clawmessenger@1.1.10

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10495 confirms this npm version as malicious. The package is a remote-controlled bridge: after the user runs `opencode-clawmessenger setup` and binds via QR code, the installed wrapper authenticates to https://newsradar.dreamdt.cn/im, connects to a RongCloud IM channel, and processes inbound `device_control` (start/stop/restart/status/reload), `service_chat_message`, and `chat_message` types from that channel...

Advisory
MAL-2026-10495
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @quukk/opencode-clawmessenger (npm)
Details
The package is a remote-controlled bridge: after the user runs `opencode-clawmessenger setup` and binds via QR code, the installed wrapper authenticates to https://newsradar.dreamdt.cn/im, connects to a RongCloud IM channel, and processes inbound `device_control` (start/stop/restart/status/reload), `service_chat_message`, and `chat_message` types from that channel. Chat content is forwarded to a local OpenCode AI session at http://127.0.0.1:19877 and responses are returned over IM (dist/core/message-handler.js: `case RongyunMessageTypeEnum[...DEVICE_CONTROL...]: await this['handleDeviceControl'](...)` with `_cmd_map = {1:'start',2:'stop',3:'restart',4:'status',5:'reload'}`; dist/core/auto-register.js: `DEFAULT_SERVER_URL='https://newsradar.dreamdt.cn/im'`). Whoever controls the dreamdt.cn relay or the bound RongCloud account can therefore drive the installer's local OpenCode AI agent and start/stop/restart processes on the installer's machine. Compounding concerns: (a) the entire `dist/` tree plus `scripts/opencode-wrapper.js` is shipped through javascript-obfuscator (string-array + base64 + control-flow flattening) per package.json's `prepublishOnly: npm run build && npm run obfuscate`, hiding the full set of message handlers from review; (b) `getAppSecret()` in dist/core/auto-register.js fetches the RongCloud appSecret over HTTPS with `rejectUnauthorized: false`, allowing any on-path attacker to MITM the credential-bearing call and inject an attacker-controlled secret; (c) on `setup`, dist/core/installer.js renames the system `opencode` binary to `opencode-original.*` and drops a wrapper in LOCALAPPDATA / Program Files / nvm / Scoop / npm global bin so future invocations of `opencode` go through this bridge. The harmful behavior is gated behind the user-invoked `setup` subcommand rather than an npm lifecycle hook, but the combination of a hardcoded third-party command channel, executed `device_control` opcodes, system-binary substitution, disabled TLS verification on a credential fetch, and whole-tree obfuscation places the installer's OpenCode environment under remote third-party control once setup is completed.
Decision reason
OpenSSF Malicious Packages via OSV confirms @quukk/opencode-clawmessenger@1.1.10 as malicious (MAL-2026-10495): Malicious code in @quukk/opencode-clawmessenger (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory