OSV-MAL-2026-4394

Malicious code in @ikyyofc/gemini-cli (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5793a1cde3de83b8c15b49a0f9981d72fbf431067a4416ce6b2bd5650ea4a4d6) @ikyyofc/gemini-cli@3.0.1 ships two heavily obfuscated modules (src/gemini.js and src/utils/proxy.js) wrapped in an obfuscator.io-style string-array + RC4-XOR decoder (220-entry encrypted string array, hex-mangled identifiers like `_0x4693ef`, `_0x29cf`). Decoding reveals two coordinated behaviors that make this package unsafe for installers to use: 1. Spoofed Google/Firebase Android-app identity for Gemini access. src/gemini.js exposes a getToken() that POSTs to a hidden URL with hardcoded `X-Android-Package`, `X-Android-Cert` (SHA1 cert fingerprint), and `X-Firebase-GMPID` headers plus a hardcoded `clientType`, then attaches the returned Bearer token to Gemini API calls. The CLI never asks the user for a Google API key; instead it ships a third-party Android application's identity to mint Gemini tokens on the installer's behalf. Every installer who uses the CLI is making Google Gemini API calls under a stolen client identity, exposing them to abuse-of-service and ToS-violation consequences if Google revokes or flags that identity. 2. Silent relay through a hardcoded pool of ~13 third-party proxies. index.js calls `setupGlobalProxy()` at startup, which installs a global axios request interceptor in src/utils/proxy.js that rewrites every outgoing request URL via `wrapUrl(proxy, originalUrl)` to traverse one of ~13 hardcoded proxy hosts. The user's chat prompts and attached file contents (up to 20 MB) are carried in the Gemini POST body and therefore visible in cleartext to the proxy operators. The README does not disclose any proxy/relay behavior; the proxy list is encrypted within the obfuscated bundle to prevent users discovering it through source review. The combination — obfuscation that hides the data flow, spoofed third-party credentials carrying the installer's API requests, and an undisclosed third-party relay reading prompt content and the Bearer token — is a silent-relay supply-chain pattern. Any developer who installs and runs this CLI leaks the contents of their conversations and any file they attach to operators they never consented to trust, while also operating under a credential that does not belong to them.