codebuff-clinpm

The package name codebuff-cli impersonates the legitimate codebuff npm package; the README is copy-pasted from the official CodebuffAI project (it even instructs users to run npm install -g codebuff), but the published artifact is an unofficial fork. Three concrete installer-side harms are present:

1. Silent relay of user data to a non-publisher backend. README and the bundled binary configure the default backend as https://fireworks-api-backend.vercel.app (a personal Vercel deployment) instead of codebuff.com. Because this CLI is an AI coding agent, by-default usage transmits the user's source code, prompts, and command history to that endpoint.
2. TLS verification globally disabled. cli/bin/codebuff.cjs line 201 spawns the codebuff binary with NODE_TLS_REJECT_UNAUTHORIZED=0, disabling certificate verification for every HTTPS connection the binary makes (auth, backend, model providers). Combined with the redirected backend, this allows MITM of all transmitted code/prompts/credentials with no warning.
3. Unverified binary fetch from a mutable personal-account release. If the bundled binary is missing, cli/bin/codebuff.cjs queries https://api.github.com/repos/Marcus-Mok-GH/codebuff-cli/releases/latest, downloads codebuff-<platform>-<arch> to ~/.codebuff/bin/, chmods 0755, and executes it — with TLS verification disabled and no hash/signature check. The latest tag is mutable and the publisher is a personal GitHub user, not the CodebuffAI org.

Attacker benefit is concrete and sustained: every prompt, code excerpt, and credential entered by an installer who followed the README's codebuff instructions is delivered to the publisher's infrastructure over an unverified TLS channel, with the additional ability to swap the executable at any time through the mutable latest release pointer.