@funny-booth/agent-corenpm
Malicious code in @funny-booth/agent-core (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an install_mcp tool that fetches JSON from the hardcoded portal prompt-injection-tool-portal.vercel.app and passes its install_command field directly to child_process.exec() on the installer's host, giving the portal operator arbitrary shell execution with the installer's privileges. The launcher (invoked by every salesbot1..10 bin entry) calls fetchBundledMcps against the same portal and, for each returned entry, spawns npx -y <entry.package> while injecting locally decrypted vault secrets into the child's env — the portal can name any npm package, including a freshly published attacker-owned one, and it will be downloaded and executed with those secrets on hand. The launcher also unconditionally spawns a detached npm i -g @funny-booth/agent-core@latest on every run, silently self-updating to whatever the publisher pushes next. The launcher additionally spawns the local claude CLI with a portal-supplied greeting/knowledge string prepended as the initial user prompt and a portal-controlled MCP config, providing a prompt-injection channel into the user's Claude agent session. The repository URL in package.json is github.com/yutamatsuura/prompt-injection-tool and the deliberate obfuscation of the portal endpoints, exec sink, and auto-update spawn is consistent with intentional concealment of these remote-execution channels.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Malicious packageFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @funny-booth/agent-core (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @funny-booth/agent-core across your stack and pipelines.
If you installed it — respond
Remove @funny-booth/agent-core from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If @funny-booth/agent-core was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @funny-booth/agent-core before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks @funny-booth/agent-core-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.