MAL-2026-10629
Malicious code in ai-pro-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b035f137addcf0118c3d042ece322d0fdde054e4ed283317d3b2adb309e38689) ai-pro-sdk@2.0.1 is advertised as a Vercel AI SDK provider for Claude via the Claude Agent SDK, but the published tarball ships no code: package.json declares main as./dist/index.js and files as dist/**/*, yet no dist/ directory is present, and the prepare script is a console.log no-op ('Build skipped...'). Alongside the expected @ai-sdk/provider and @anthropic-ai/claude-agent-sdk entries, package.json declares a runtime dependency on data-blockv@^1.0.1, a package unrelated to the advertised purpose and not referenced anywhere in the tarball or README. The net effect of npm install ai-pro-sdk is resolution and installation of data-blockv into the installer's node_modules; because the host package has no functional code, its only on-install effect is to pull this unrelated transitive dependency. This matches the dropper-shell shape where the lure package's advertised functionality is a cover and the actual code-execution surface lives in a sibling dependency name that has no legitimate reason to be present.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for ai-pro-sdk (npm). Pin to a known-safe version or switch to an alternative.