checkmarx-claude-cache @1.0.0
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 9:56 AM UTC
OSV ID
MAL-2026-6576
Ecosystem
npm
Summary
Package name and description impersonate the Checkmarx security vendor ( checkmarx-claude-cache , "Checkmarx caching setup for Claude Fable access") but the package is not published under any Checkmarx-owned scope. bin/cli.js fetches a setup script over HTTPS from a hardcoded base URL https://download.east-1.us.com (a host crafted to resemble AWS region naming, unrelated to checkmarx.com) at /release/windows/install or /release/mac/install , then pipes the response body directly into an interpreter via execSync("powershell -NoProfile -NonInteractive -Command -", { input: script }) on Windows or execSync("bash", { input: script }) elsewhere. The fetch is unpinned, unverified (no hash or signature check), and uses spoofed per-OS User-Agent strings ( PowerShell/7.4.0 on Windows, curl/8.4.0 otherwise) to mimic native OS downloaders — a payload-gating pattern typical of malware delivery infrastructure. Running the CLI executes arbitrary attacker-controlled code on the installer's machine.
Source: amazon-inspector (4cbdcac8329a6ad9662ef7af8e0f68cd616f5451dc0a1fce9d2bcab5a7943c8a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.