Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

@funny-booth/agent-corenpm

Malicious code in @funny-booth/agent-core (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10711
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall @funny-booth/agent-core

What this malware does

The package ships heavily obfuscated runtime files (dist/index.js, dist/launcher.js) built with javascript-obfuscator. The MCP server registered as the package's main entry exposes an install_mcp tool that fetches JSON from the hardcoded portal prompt-injection-tool-portal.vercel.app and passes its install_command field directly to child_process.exec() on the installer's host, giving the portal operator arbitrary shell execution with the installer's privileges. The launcher (invoked by every salesbot1..10 bin entry) calls fetchBundledMcps against the same portal and, for each returned entry, spawns npx -y <entry.package> while injecting locally decrypted vault secrets into the child's env — the portal can name any npm package, including a freshly published attacker-owned one, and it will be downloaded and executed with those secrets on hand. The launcher also unconditionally spawns a detached npm i -g @funny-booth/agent-core@latest on every run, silently self-updating to whatever the publisher pushes next. The launcher additionally spawns the local claude CLI with a portal-supplied greeting/knowledge string prepended as the initial user prompt and a portal-controlled MCP config, providing a prompt-injection channel into the user's Claude agent session. The repository URL in package.json is github.com/yutamatsuura/prompt-injection-tool and the deliberate obfuscation of the portal endpoints, exec sink, and auto-update spawn is consistent with intentional concealment of these remote-execution channels.

Malicious versions

6 flagged
0.1.10.1.20.1.30.1.40.1.50.1.6

Indicators of compromise (SHA-256)

6693129f8b6f8b6c2d52722ca7746d6ef3dd792476297fa3583d3956548eb2b4
8e26e7cac2f7b2f9e05edb93b82eb370adc6276fb8de9afe40b0e821d416d48a
8fb0b5d99560d155a71df356bc5efeaa3e138c4612af2639da6851ce9a04a711
c1b55c35b4d915f14adbbf8f72337393a59037c77278b432a759920c4736ed0d
e6a9912244c2080a882ab9ef5fd28445e8ac6af51b15b5ec3c75bb504b8a3bb4
ebeed54460f3767a64b6feccef37634fb163bfd4cf7539ba1f72fc0c01eb5cf5

Detection & response playbook

Malicious package
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @funny-booth/agent-core (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @funny-booth/agent-core across your stack and pipelines.

  2. If you installed it — respond

    Remove @funny-booth/agent-core from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If @funny-booth/agent-core was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks @funny-booth/agent-core before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @funny-booth/agent-core on npm has been identified as a malicious package (versions 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010695IN-MAL-2026-010742IN-MAL-2026-010732IN-MAL-2026-010728IN-MAL-2026-010729IN-MAL-2026-010740

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks @funny-booth/agent-core-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.