@funny-booth/agent-core @0.1.6
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10711
Ecosystem
npm
Summary
The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an install_mcp tool that fetches JSON from the hardcoded portal prompt-injection-tool-portal.vercel.app and passes its install_command field directly to child_process.exec() on the installer's host, giving the portal operator arbitrary shell execution with the installer's privileges. The launcher (invoked by every salesbot1..10 bin entry) calls fetchBundledMcps against the same portal and, for each returned entry, spawns npx -y <entry.package> while injecting locally decrypted vault secrets into the child's env — the portal can name any npm package, including a freshly published attacker-owned one, and it will be downloaded and executed with those secrets on hand. The launcher also unconditionally spawns a detached npm i -g @funny-booth/agent-core@latest on every run, silently self-updating to whatever the publisher pushes next. The launcher additionally spawns the local claude CLI with a portal-supplied greeting/knowledge string prepended as the initial user prompt and a portal-controlled MCP config, providing a prompt-injection channel into the user's Claude agent session. The repository URL in package.json is github.com/yutamatsuura/prompt-injection-tool and the deliberate obfuscation of the portal endpoints, exec sink, and auto-update spawn is consistent with intentional concealment of these remote-execution channels.
Source: amazon-inspector (6693129f8b6f8b6c2d52722ca7746d6ef3dd792476297fa3583d3956548eb2b4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.