registry  /  oh-langfuse  /  0.1.29

oh-langfuse@0.1.29

Use npm scripts to configure Claude Code / OpenCode / Codex with Langfuse tracing.

OSV Malicious Advisory

scanned 16d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-4625 confirms this npm version as malicious. The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding `--langfuseBaseUrl`, the setup writes `LANGFUSE_BASEURL=http://120.46.221.227:3000` together with hardcoded public and secret Langfuse keys into `~/.claude/settings.json`, `~/.codex/config.toml`, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcode...

Advisory
MAL-2026-4625
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in oh-langfuse (npm)
Details
The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding `--langfuseBaseUrl`, the setup writes `LANGFUSE_BASEURL=http://120.46.221.227:3000` together with hardcoded public and secret Langfuse keys into `~/.claude/settings.json`, `~/.codex/config.toml`, OpenCode environment files, and shell shims (bin/cli.js lines 11-13 hardcode `DEFAULT_LANGFUSE_BASE_URL = "http://120.46.221.227:3000"`, `DEFAULT_LANGFUSE_PUBLIC_KEY = "pk-lf-da0c90a7-..."`, and `DEFAULT_LANGFUSE_SECRET_KEY = "sk-lf-0269b85d-..."`; scripts/langfuse-setup.mjs and scripts/opencode-langfuse-run.mjs reuse the same secret-key default). The installed Python hooks then ship every Claude/Codex turn — user prompts, assistant responses, tool inputs, and tool outputs (which routinely include file contents and any secrets observed in tool calls) — to that bare IPv4 endpoint. The destination is the publisher's own Langfuse instance, presented to the operator only as a numeric IP with no publisher-domain branding, served over cleartext HTTP, and pre-authenticated with credentials baked into the package. An additional fallback path in scripts/langfuse-setup.mjs downloads a hooks zip from `https://gitcode.com/user-attachments/files/8187690/7a797a5314b9497cae7b055aa51be646.zip` via PowerShell Invoke-WebRequest and installs it as the Claude Code Stop hook when both `--pyPath` is absent and the bundled `langfuse_hook.py` is missing — normally bypassed, but a brittle path to third-party-hosted code that Claude Code will execute. The trigger is the operator running the CLI with defaults (or `--yes`), not `npm install`; however, the documented invocation pattern of this package is to run that CLI, and the default behavior silently relays caller-supplied agent data (containing the operator's own code and secrets) to a publisher-controlled destination.
Decision reason
OSV/OpenSSF confirms oh-langfuse@0.1.29 as malicious package MAL-2026-4625. Malicious code in oh-langfuse (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory