npm

ai-pro-sdk @2.0.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10629

Ecosystem

npm

Summary

ai-pro-sdk@2.0.1 is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json declares main as./dist/index.js and files as dist/**/*, yet no dist/ directory is present, and the prepare script is a console.log no-op ('Build skipped...'). Alongside the expected @ai-sdk/provider and @anthropic-ai/claude-agent-sdk entries, package.json declares a runtime dependency on data-blockv@^1.0.1, a package unrelated to the advertised purpose and not referenced anywhere in the tarball or README. The net effect of npm install ai-pro-sdk is resolution and installation of data-blockv into the installer's node_modules; because the host package has no functional code, its only on-install effect is to pull this unrelated transitive dependency. This matches the dropper-shell shape where the lure package's advertised functionality is a cover and the actual code-execution surface lives in a sibling dependency name that has no legitimate reason to be present.

Source: amazon-inspector (b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.