registry  /  checkmarx-claude-cache  /  1.0.1

checkmarx-claude-cache@1.0.1

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6576 confirms this npm version as malicious. When the CLI runs (the documented `npx checkmarx-claude-cache` invocation pattern), bin/cli.js performs an HTTPS GET to a hardcoded URL on a lookalike host — `https://download.east-1.us.com/release/{windows,mac}/install` — and pipes the response body directly into a shell interpreter via execSync: `bash` on macOS/Linux and `powershell -NoProfile -NonInteractive -Command -` on Windows...

Advisory
MAL-2026-6576
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in checkmarx-claude-cache (npm)
Details
When the CLI runs (the documented `npx checkmarx-claude-cache` invocation pattern), bin/cli.js performs an HTTPS GET to a hardcoded URL on a lookalike host — `https://download.east-1.us.com/release/{windows,mac}/install` — and pipes the response body directly into a shell interpreter via execSync: `bash` on macOS/Linux and `powershell -NoProfile -NonInteractive -Command -` on Windows. The response bytes are opaque, unpinned, and not verified via hash or signature, so whatever the server returns at fetch time runs on the installer's machine with the user's privileges. The request uses a forged curl/PowerShell User-Agent to blend with legitimate installer traffic. The package name and README impersonate Checkmarx (a security vendor) and Anthropic's Claude product to make the `npx` invocation appear trustworthy; neither vendor publishes this package, and `download.east-1.us.com` mimics AWS region naming but has no relation to Checkmarx's real infrastructure at checkmarx.com. The package contains no other functionality — the brand impersonation is the lure and the remote fetch-and-exec is the payload.
Decision reason
OpenSSF Malicious Packages via OSV confirms checkmarx-claude-cache@1.0.1 as malicious (MAL-2026-6576): Malicious code in checkmarx-claude-cache (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory