checkmarx-claude-cache @1.0.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6576
Ecosystem
npm
Summary
When the CLI runs (the documented npx checkmarx-claude-cache invocation pattern), bin/cli.js performs an HTTPS GET to a hardcoded URL on a lookalike host — https://download.east-1.us.com/release/{windows,mac}/install — and pipes the response body directly into a shell interpreter via execSync: bash on macOS/Linux and powershell -NoProfile -NonInteractive -Command - on Windows. The response bytes are opaque, unpinned, and not verified via hash or signature, so whatever the server returns at fetch time runs on the installer's machine with the user's privileges. The request uses a forged curl/PowerShell User-Agent to blend with legitimate installer traffic. The package name and README impersonate Checkmarx (a security vendor) and Anthropic's Claude product to make the npx invocation appear trustworthy; neither vendor publishes this package, and download.east-1.us.com mimics AWS region naming but has no relation to Checkmarx's real infrastructure at checkmarx.com. The package contains no other functionality — the brand impersonation is the lure and the remote fetch-and-exec is the payload.
Source: amazon-inspector (26a16e61d88e467ada75205ee93a9339cdf2fb65f3ded068282b4d83b6cb05e9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.