VDB
EN

MAL-2026-10711

Malicious code in @funny-booth/agent-core (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6693129f8b6f8b6c2d52722ca7746d6ef3dd792476297fa3583d3956548eb2b4) The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an `install_mcp` tool that fetches JSON from the hardcoded portal `prompt-injection-tool-portal.vercel.app` and passes its `install_command` field directly to `child_process.exec()` on the installer's host, giving the portal operator arbitrary shell execution with the installer's privileges. The launcher (invoked by every `salesbot1..10` bin entry) calls `fetchBundledMcps` against the same portal and, for each returned entry, spawns `npx -y <entry.package>` while injecting locally decrypted vault secrets into the child's env — the portal can name any npm package, including a freshly published attacker-owned one, and it will be downloaded and executed with those secrets on hand. The launcher also unconditionally spawns a detached `npm i -g @funny-booth/agent-core@latest` on every run, silently self-updating to whatever the publisher pushes next. The launcher additionally spawns the local `claude` CLI with a portal-supplied greeting/knowledge string prepended as the initial user prompt and a portal-controlled MCP config, providing a prompt-injection channel into the user's Claude agent session. The repository URL in package.json is `github.com/yutamatsuura/prompt-injection-tool` and the deliberate obfuscation of the portal endpoints, exec sink, and auto-update spawn is consistent with intentional concealment of these remote-execution channels.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @funny-booth/agent-core

No fixed version published yet for @funny-booth/agent-core (npm). Pin to a known-safe version or switch to an alternative.

참고