MAL-2026-4394
Vulnerability from ossf_malicious_packages
Published
2026-05-20 02:28
Modified
2026-05-26 05:55
Summary
Malicious code in @ikyyofc/gemini-cli (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6)
@ikyyofc/gemini-cli@3.0.1 ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like _0x4693ef, _0x29cf). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use:
-
Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded
X-Android-Package,X-Android-Cert(SHA1 cert fingerprint), andX-Firebase-GMPIDheaders plus a hardcodedclientType, then attaches the returned Bearer token to Gemini API calls. The CLI never asks the user for a Google API key; instead it ships a third-party Android application's identity to mint Gemini tokens on the installer's behalf. Every installer who uses the CLI is making Google Gemini API calls under a stolen client identity, exposing them to abuse-of-service and ToS-violation consequences if Google revokes or flags that identity. -
Silent relay through a hardcoded pool of ~13 third-party proxies. index.js calls
setupGlobalProxy()at startup, which installs a global axios request interceptor in src/utils/proxy.js that rewrites every outgoing request URL viawrapUrl(proxy, originalUrl)to traverse one of ~13 hardcoded proxy hosts. The user's chat prompts and attached file contents (up to 20 MB) are carried in the Gemini POST body and therefore visible in cleartext to the proxy operators. The README does not disclose any proxy/relay behavior; the proxy list is encrypted within the obfuscated bundle to prevent users discovering it through source review.
The combination — obfuscation that hides the data flow, spoofed third-party credentials carrying the installer's API requests, and an undisclosed third-party relay reading prompt content and the Bearer token — is a silent-relay supply-chain pattern. Any developer who installs and runs this CLI leaks the contents of their conversations and any file they attach to operators they never consented to trust, while also operating under a credential that does not belong to them.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "src/gemini.js",
"sha256": "c3a1b0ea55c1eff6a87d0a3ff6c4d223f25177ecf927d221d28dc4f4968fa79e",
"tlsh": "3ad282d976883ec12b0b1a977f63f8f0d8ab199ef1400996e188bc2ca155233d6f5634"
}
],
"package_integrity": [
{
"filename": "gemini-cli-4.0.6.tgz",
"hashes": {
"sha1": "621ac39d3932eed262d83b5b988a4aafb0b412b9",
"sha512_sri": "sha512-ywktjyX/YjPoRgmlIvwU9MIMUBBCWAxzvT64oD5gHnfLFPOqxKCclH6UClzjYu+60PRdOT0mgx9lAPWeD1SEGw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@ikyyofc/gemini-cli"
},
"versions": [
"4.0.6",
"5.0.2",
"3.0.6",
"4.0.3",
"3.0.1",
"5.0.1",
"4.0.8",
"5.0.0",
"4.0.5",
"3.0.7",
"4.0.7",
"4.0.2",
"4.0.4",
"4.0.0",
"3.0.9"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004390",
"import_time": "2026-05-26T05:52:30.316450757Z",
"modified_time": "2026-05-23T22:23:11Z",
"sha256": "02dc0713ef228e85a00c9b42387d372926de86995282046d97097ec2c70949a2",
"source": "amazon-inspector",
"versions": [
"4.0.6"
]
},
{
"id": "IN-MAL-2026-004731",
"import_time": "2026-05-26T05:53:10.480861693Z",
"modified_time": "2026-05-25T17:23:51Z",
"sha256": "eb34383a3b5afed7609c8ffaba4251d3f76d2911dd89b847f99e0982e2ea50d7",
"source": "amazon-inspector",
"versions": [
"5.0.2"
]
},
{
"id": "IN-MAL-2026-003523",
"import_time": "2026-05-26T05:50:47.317371102Z",
"modified_time": "2026-05-20T11:47:37Z",
"sha256": "fe916093166227f9f446f7a296135ec423d17d0c85a5b0c6790e73c76f8b99ce",
"source": "amazon-inspector",
"versions": [
"3.0.6"
]
},
{
"id": "IN-MAL-2026-004271",
"import_time": "2026-05-26T05:52:16.637654017Z",
"modified_time": "2026-05-22T23:15:51Z",
"sha256": "4332ef1d823062f94ca9e4c46d6f549050a63909182e5e0275df2d30e14c6a1f",
"source": "amazon-inspector",
"versions": [
"4.0.3"
]
},
{
"id": "IN-MAL-2026-003416",
"import_time": "2026-05-26T05:50:36.179604179Z",
"modified_time": "2026-05-20T02:28:21Z",
"sha256": "5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6",
"source": "amazon-inspector",
"versions": [
"3.0.1"
]
},
{
"id": "IN-MAL-2026-004617",
"import_time": "2026-05-26T05:52:57.423809885Z",
"modified_time": "2026-05-25T09:51:48Z",
"sha256": "65c21755d121ec1e9099c7b27daa4f3f925f43a4c780d513d9db740a68589ef9",
"source": "amazon-inspector",
"versions": [
"5.0.1"
]
},
{
"id": "IN-MAL-2026-004465",
"import_time": "2026-05-26T05:52:39.227471666Z",
"modified_time": "2026-05-24T05:43:51Z",
"sha256": "9115fec7bc81baed4d91bd288d70fb3ee335022f809e49a1977dd26a9bb7ed3f",
"source": "amazon-inspector",
"versions": [
"4.0.8"
]
},
{
"id": "IN-MAL-2026-004576",
"import_time": "2026-05-26T05:52:52.378741063Z",
"modified_time": "2026-05-25T03:51:18Z",
"sha256": "ab1f4ebb9b0999f78e07156fee9ddc4a5d5fba62dde9860d53c6ffdca17ae40e",
"source": "amazon-inspector",
"versions": [
"5.0.0"
]
},
{
"id": "IN-MAL-2026-004309",
"import_time": "2026-05-26T05:52:21.014258615Z",
"modified_time": "2026-05-23T10:08:18Z",
"sha256": "ac6f383bb15ad3695b0076a2eeb174abd4046cc2d8f5f6887a75817432bd8dba",
"source": "amazon-inspector",
"versions": [
"4.0.5"
]
},
{
"id": "IN-MAL-2026-003526",
"import_time": "2026-05-26T05:50:47.697731547Z",
"modified_time": "2026-05-20T12:20:36Z",
"sha256": "e9f688d1eb6f150c806dffd9d1254a79b840bbaa197a0e4b89433ec800b690f3",
"source": "amazon-inspector",
"versions": [
"3.0.7"
]
},
{
"id": "IN-MAL-2026-004391",
"import_time": "2026-05-26T05:52:30.434734818Z",
"modified_time": "2026-05-23T22:33:41Z",
"sha256": "fc26243a08507ac3dd3802eceac5390b945511271a3029d10f7c983b8df4cd52",
"source": "amazon-inspector",
"versions": [
"4.0.7"
]
},
{
"id": "IN-MAL-2026-004268",
"import_time": "2026-05-26T05:52:16.257821295Z",
"modified_time": "2026-05-22T23:04:03Z",
"sha256": "11fbe698ca8ddd83c5f29afa2fc33ff27ce6887a70912daf40353f92780fe789",
"source": "amazon-inspector",
"versions": [
"4.0.2"
]
},
{
"id": "IN-MAL-2026-004289",
"import_time": "2026-05-26T05:52:18.774876675Z",
"modified_time": "2026-05-23T05:13:27Z",
"sha256": "2cd1b0651b115824914e3b38577a8c599b295d20e83050baa4840990016b1dc8",
"source": "amazon-inspector",
"versions": [
"4.0.4"
]
},
{
"id": "IN-MAL-2026-003753",
"import_time": "2026-05-26T05:51:14.896443801Z",
"modified_time": "2026-05-21T06:00:53Z",
"sha256": "6f63d0b962f666eb8967f2bd1329f066c1b6487e42a235ebfa8fdd94ccd3b816",
"source": "amazon-inspector",
"versions": [
"4.0.0"
]
},
{
"id": "IN-MAL-2026-003745",
"import_time": "2026-05-26T05:51:14.063977792Z",
"modified_time": "2026-05-21T05:41:20Z",
"sha256": "ae8e01268f91446d0a38edb8aa2a9d11ee045363d26034e0e7f41681869747c2",
"source": "amazon-inspector",
"versions": [
"3.0.9"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6)\n@ikyyofc/gemini-cli@3.0.1 ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like `_0x4693ef`, `_0x29cf`). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use:\n\n1. Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded `X-Android-Package`, `X-Android-Cert` (SHA1 cert fingerprint), and `X-Firebase-GMPID` headers plus a hardcoded `clientType`, then attaches the returned Bearer token to Gemini API calls. The CLI never asks the user for a Google API key; instead it ships a third-party Android application\u0027s identity to mint Gemini tokens on the installer\u0027s behalf. Every installer who uses the CLI is making Google Gemini API calls under a stolen client identity, exposing them to abuse-of-service and ToS-violation consequences if Google revokes or flags that identity.\n\n2. Silent relay through a hardcoded pool of ~13 third-party proxies. index.js calls `setupGlobalProxy()` at startup, which installs a global axios request interceptor in src/utils/proxy.js that rewrites every outgoing request URL via `wrapUrl(proxy, originalUrl)` to traverse one of ~13 hardcoded proxy hosts. The user\u0027s chat prompts and attached file contents (up to 20 MB) are carried in the Gemini POST body and therefore visible in cleartext to the proxy operators. The README does not disclose any proxy/relay behavior; the proxy list is encrypted within the obfuscated bundle to prevent users discovering it through source review.\n\nThe combination \u2014 obfuscation that hides the data flow, spoofed third-party credentials carrying the installer\u0027s API requests, and an undisclosed third-party relay reading prompt content and the Bearer token \u2014 is a silent-relay supply-chain pattern. Any developer who installs and runs this CLI leaks the contents of their conversations and any file they attach to operators they never consented to trust, while also operating under a credential that does not belong to them.\n",
"id": "MAL-2026-4394",
"modified": "2026-05-26T05:55:01Z",
"published": "2026-05-20T02:28:21Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/5.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/3.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/3.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/5.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.8"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/5.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/3.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/4.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@ikyyofc/gemini-cli/v/3.0.9"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @ikyyofc/gemini-cli (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…