VDB
KO

MAL-2026-10629

Malicious code in ai-pro-sdk (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689) ai-pro-sdk@2.0.1 is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json declares main as./dist/index.js and files as dist/**/*, yet no dist/ directory is present, and the prepare script is a console.log no-op ('Build skipped...'). Alongside the expected @ai-sdk/provider and @anthropic-ai/claude-agent-sdk entries, package.json declares a runtime dependency on data-blockv@^1.0.1, a package unrelated to the advertised purpose and not referenced anywhere in the tarball or README. The net effect of npm install ai-pro-sdk is resolution and installation of data-blockv into the installer's node_modules; because the host package has no functional code, its only on-install effect is to pull this unrelated transitive dependency. This matches the dropper-shell shape where the lure package's advertised functionality is a cover and the actual code-execution surface lives in a sibling dependency name that has no legitimate reason to be present.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ai-pro-sdk

No fixed version published yet for ai-pro-sdk (npm). Pin to a known-safe version or switch to an alternative.

References