@quukk/opencode-clawmessengernpm
Malicious code in @quukk/opencode-clawmessenger (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package is a remote-controlled bridge: after the user runs opencode-clawmessenger setup and binds via QR code, the installed wrapper authenticates to https://newsradar.dreamdt.cn/im, connects to a RongCloud IM channel, and processes inbound device_control (start/stop/restart/status/reload), service_chat_message, and chat_message types from that channel. Chat content is forwarded to a local OpenCode AI session at http://127.0.0.1:19877 and responses are returned over IM (dist/core/message-handler.js: case RongyunMessageTypeEnum[...DEVICE_CONTROL...]: await this['handleDeviceControl'](...) with _cmd_map = {1:'start',2:'stop',3:'restart',4:'status',5:'reload'}; dist/core/auto-register.js: DEFAULT_SERVER_URL='https://newsradar.dreamdt.cn/im'). Whoever controls the dreamdt.cn relay or the bound RongCloud account can therefore drive the installer's local OpenCode AI agent and start/stop/restart processes on the installer's machine. Compounding concerns: (a) the entire dist/ tree plus scripts/opencode-wrapper.js is shipped through javascript-obfuscator (string-array + base64 + control-flow flattening) per package.json's prepublishOnly: npm run build && npm run obfuscate, hiding the full set of message handlers from review; (b) getAppSecret() in dist/core/auto-register.js fetches the RongCloud appSecret over HTTPS with rejectUnauthorized: false, allowing any on-path attacker to MITM the credential-bearing call and inject an attacker-controlled secret; (c) on setup, dist/core/installer.js renames the system opencode binary to opencode-original.* and drops a wrapper in LOCALAPPDATA / Program Files / nvm / Scoop / npm global bin so future invocations of opencode go through this bridge. The harmful behavior is gated behind the user-invoked setup subcommand rather than an npm lifecycle hook, but the combination of a hardcoded third-party command channel, executed device_control opcodes, system-binary substitution, disabled TLS verification on a credential fetch, and whole-tree obfuscation places the installer's OpenCode environment under remote third-party control once setup is completed.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @quukk/opencode-clawmessenger (version 1.1.10). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @quukk/opencode-clawmessenger across your stack and pipelines.
If you installed it — respond
@quukk/opencode-clawmessenger is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If @quukk/opencode-clawmessenger was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks @quukk/opencode-clawmessenger before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks @quukk/opencode-clawmessenger-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.