MAL-2026-4789
Vulnerability from ossf_malicious_packages
Published
2026-05-26 09:03
Modified
2026-05-26 09:19
Summary
Malicious code in ggk-happy (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379)

ggk-happy is a fork of the slopus/happy CLI that preserves the upstream README, homepage (happy.engineering) and repository URL (github.com/slopus/happy) but replaces the default backend hosts with attacker-controlled domains. dist/types-DWj8Mfeh.cjs and dist/types-BIhsCv19.mjs hardcode DEFAULT_SERVER_URL = "https://happy-api.ask-ggk.com" and DEFAULT_WEBAPP_URL = "https://happy.ask-ggk.com", and a bundled dependency is aliased via "@slopus/happy-wire": "npm:ggkhappy-wire@0.1.0". README instructs npm install -g happy and invocation as happy, while the published package is ggk-happy with bins ggkhappy/ggkhappy-mcp — a typosquat/brand-confusion shape. When the user runs the CLI, it opens a persistent websocket to happy-api.ask-ggk.com and calls registerCommonHandlers(), registering RPC handlers including bash (which runs execAsync(data.command, options)), readFile, writeFile, listDirectory, getDirectoryTree, ripgrep, and spawn-happy-session. Although messages are E2E-encrypted, the keypair is established through the same attacker-controlled auth endpoint, so the operator of ask-ggk.com has effective remote shell and arbitrary filesystem read/write on the developer's machine. Code under dist/config-*.cjs additionally reads ~/.gemini/oauth_creds.json, ~/.gemini/auth.json, ~/.config/gemini/* and shells out to gcloud auth application-default print-access-token within the same process that talks to ask-ggk.com.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "34.11.16.104.in-addr.arpa"
          ],
          "evidence_files": [
            {
              "path": "dist/types-DWj8Mfeh.cjs",
              "sha256": "ce1ce10ae0982152c2aca582e147aa9b2310dc8d4164d6cb3685b92e6e136a62",
              "tlsh": "c2c3c948baf7153a5763616a7e1f90123334900b3609de58bb8c4380af5d538e6f7be9"
            },
            {
              "path": "dist/config-3K1mk5IJ.cjs",
              "sha256": "fff65459c332f1e57fb3211c0e5d0022df3b5ccb7393ec80a9b9ba9ab5cbbc51",
              "tlsh": "9cf153cb3aebcb5337a53a51e5870221bd07dac70a0558607a8cf6ce5f4c0674b62bb5"
            }
          ],
          "package_integrity": [
            {
              "filename": "ggk-happy-1.0.9.tgz",
              "hashes": {
                "sha1": "50faabb164d08233c4faf8c64aa07899b0f8f4df",
                "sha512_sri": "sha512-MF8irpW9T+XAryCVOlOnJ86QYz5VHOi3Bc69kggE+gMeaKoiksVGgUp18Lsda0iBSOulj58ve1TZ/zk+uS5xeQ=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "ggk-happy"
      },
      "versions": [
        "1.0.9"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004879",
        "import_time": "2026-05-26T09:17:33.222549966Z",
        "modified_time": "2026-05-26T09:03:52Z",
        "sha256": "01759f2a020bbf9172f916322b93b5b8bdd3d01ddc2b3130af73763709ec723c",
        "source": "amazon-inspector",
        "versions": [
          "1.0.9"
        ]
      },
      {
        "id": "IN-MAL-2026-004878",
        "import_time": "2026-05-26T09:17:33.135593087Z",
        "modified_time": "2026-05-26T09:03:51Z",
        "sha256": "da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379",
        "source": "amazon-inspector",
        "versions": [
          "1.0.9"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (da23474ba170aa6d3b5bea2c2e8ebbc59be022caec4b612528dd644891e31379)\nggk-happy is a fork of the slopus/happy CLI that preserves the upstream README, homepage (happy.engineering) and repository URL (github.com/slopus/happy) but replaces the default backend hosts with attacker-controlled domains. dist/types-DWj8Mfeh.cjs and dist/types-BIhsCv19.mjs hardcode `DEFAULT_SERVER_URL = \"https://happy-api.ask-ggk.com\"` and `DEFAULT_WEBAPP_URL = \"https://happy.ask-ggk.com\"`, and a bundled dependency is aliased via `\"@slopus/happy-wire\": \"npm:ggkhappy-wire@0.1.0\"`. README instructs `npm install -g happy` and invocation as `happy`, while the published package is `ggk-happy` with bins `ggkhappy`/`ggkhappy-mcp` \u2014 a typosquat/brand-confusion shape. When the user runs the CLI, it opens a persistent websocket to happy-api.ask-ggk.com and calls `registerCommonHandlers()`, registering RPC handlers including `bash` (which runs `execAsync(data.command, options)`), `readFile`, `writeFile`, `listDirectory`, `getDirectoryTree`, `ripgrep`, and `spawn-happy-session`. Although messages are E2E-encrypted, the keypair is established through the same attacker-controlled auth endpoint, so the operator of ask-ggk.com has effective remote shell and arbitrary filesystem read/write on the developer\u0027s machine. Code under dist/config-*.cjs additionally reads `~/.gemini/oauth_creds.json`, `~/.gemini/auth.json`, `~/.config/gemini/*` and shells out to `gcloud auth application-default print-access-token` within the same process that talks to ask-ggk.com.\n",
  "id": "MAL-2026-4789",
  "modified": "2026-05-26T09:19:12Z",
  "published": "2026-05-26T09:03:51Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ggk-happy/v/1.0.9"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in ggk-happy (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.