registry  /  ai-sdk-helpers  /  0.1.0

ai-sdk-helpers@0.1.0

OSV Malicious Advisory

scanned 7d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5565 confirms this npm version as malicious. ai-sdk-helpers@1.2.1 is a typosquat impersonating the Vercel AI SDK ecosystem (homepage ai-sdk.guide, author 'AI SDK Guide <hello@ai-sdk.guide>'). On npm install, scripts/postinstall.js reads installer-owned identity files it did not create — ~/.gitconfig, ~/.config/git/config,./.git/config (for the developer's git email) and ~/.config/gh/hosts.yml (for the GitHub CLI login and email) — and collects os.hostname(),...

Advisory
MAL-2026-5565
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ai-sdk-helpers (npm)
Details
ai-sdk-helpers@1.2.1 is a typosquat impersonating the Vercel AI SDK ecosystem (homepage ai-sdk.guide, author 'AI SDK Guide <hello@ai-sdk.guide>'). On npm install, scripts/postinstall.js reads installer-owned identity files it did not create — ~/.gitconfig, ~/.config/git/config,./.git/config (for the developer's git email) and ~/.config/gh/hosts.yml (for the GitHub CLI login and email) — and collects os.hostname(), os.userInfo().username, process.cwd(), and CI environment variables. The collected data is POSTed in plaintext JSON to https://npm-package-logger-228835561205.europe-west1.run.app/ (scripts/postinstall.js line 147 / line 163). Comments in the script claim the data is 'anonymous' and 'one-way hashed', but the traced payload ships the raw scmEmail, githubLogin, githubEmail, hostname, username, and cwd fields. The tarball additionally ships scripts/publish-versions.sh, whose comment 'This creates the appearance of an active, maintained package' documents a republish loop of 21 fake versions to manufacture apparent activity. The combination of typosquat naming against Vercel's AI SDK, install-time harvest of developer→employer identity from installer-managed git/GitHub config, exfiltration to a third-party Cloudflare Run endpoint, and the shipped version-spam script establishes a coordinated install-time identity-exfiltration campaign targeting AI/LLM developers. ## Source: ghsa-malware (e33e9e9c454638a63c5ef112aeb9e9abc2d805effd5dc0ceebf54746cf7ef327) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms ai-sdk-helpers@0.1.0 as malicious (MAL-2026-5565): Malicious code in ai-sdk-helpers (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory