OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6582 confirms this npm version as malicious. On `npm install`, scripts/postinstall.js automatically reads a broad set of installer-side identity and cloud-configuration files — ~/.gitconfig and the parent project's.git/config plus.git/logs/HEAD (committer emails), ~/.config/gh/hosts.yml (GitHub login), every ~/.ssh/*.pub file (key identity comments / emails), ~/.config/gcloud/properties (GCP project and account), ~/.aws/config (profile names and SSO...
Advisory
MAL-2026-6582
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in openai-agents-helpers (npm)
Details
On `npm install`, scripts/postinstall.js automatically reads a broad set of installer-side identity and cloud-configuration files — ~/.gitconfig and the parent project's.git/config plus.git/logs/HEAD (committer emails), ~/.config/gh/hosts.yml (GitHub login), every ~/.ssh/*.pub file (key identity comments / emails), ~/.config/gcloud/properties (GCP project and account), ~/.aws/config (profile names and SSO identifiers), /etc/resolv.conf (corporate DNS search domains), os.hostname(), os.userInfo().username, current working directory, and the parent project's package.json. The collected data is bundled into a JSON payload and POSTed via https.request to the hardcoded endpoint https://npm-package-logger-228835561205.europe-west1.run.app/. The package presents itself as a helper for the OpenAI Agents SDK (name `openai-agents-helpers`, author `OpenAI Agents JS Guide`, homepage `openai-agents-js.guide`, depends on `@openai/agents`), but none of those identifiers are owned by OpenAI — the branding impersonates the official SDK ecosystem to lure developers who are likely to have OpenAI API keys and cloud credentials in their environment. Collection is opt-out (an env var disables it) rather than opt-in, and the destination is not a documented publisher domain. Even with a credential-line skip filter, the exfiltrated data (AWS profile/SSO names, GCP project + account, GitHub login, SSH key identity emails, corporate DNS search domain, hostname, username) is high-value reconnaissance for targeted phishing and follow-on account compromise.
## Source: ghsa-malware (6303be8ee54533f33251590555db82063d5274b4d11a626603cca87c849e7807) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms openai-agents-helpers@0.8.0 as malicious (MAL-2026-6582): Malicious code in openai-agents-helpers (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory