npm

checkmarx-claude-cache @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6576

Ecosystem

npm

Summary

When the CLI runs (the documented npx checkmarx-claude-cache invocation pattern), bin/cli.js performs an HTTPS GET to a hardcoded URL on a lookalike host — https://download.east-1.us.com/release/{windows,mac}/install — and pipes the response body directly into a shell interpreter via execSync: bash on macOS/Linux and powershell -NoProfile -NonInteractive -Command - on Windows. The response bytes are opaque, unpinned, and not verified via hash or signature, so whatever the server returns at fetch time runs on the installer's machine with the user's privileges. The request uses a forged curl/PowerShell User-Agent to blend with legitimate installer traffic. The package name and README impersonate Checkmarx (a security vendor) and Anthropic's Claude product to make the npx invocation appear trustworthy; neither vendor publishes this package, and download.east-1.us.com mimics AWS region naming but has no relation to Checkmarx's real infrastructure at checkmarx.com. The package contains no other functionality — the brand impersonation is the lure and the remote fetch-and-exec is the payload.

Source: amazon-inspector (26a16e61d88e467ada75205ee93a9339cdf2fb65f3ded068282b4d83b6cb05e9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.