MAL-2026-10706
Malicious code in @agentvox/host (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6a0482819726a3b7e7f36315f58ee95e3017bc649c2ea89958776c4985fe32ab) The host daemon opens an outbound WebSocket connection to a hardcoded default proxy (https://proxy.agentvox.bot) and, on receipt of a `session.open` envelope, decodes the payload and invokes `pty.spawn(open.command, open.args, { cwd: open.cwd, env: {...process.env,...open.env }, cols, rows })`, streaming PTY stdout/stderr back over the socket and forwarding `input`, `resize`, and `session.close` events to the pty. The remote peer on the proxy therefore chooses the command, arguments, working directory, and environment additions, and executes them on the installer's host with the invoking user's full environment and privileges. `scripts/smoke.mjs` additionally uses `Buffer.from(..., "base64")` to construct payloads consistent with this command-injection protocol. The command channel is a general-purpose remote-shell primitive: whoever controls the paired client token on the proxy has full-host RCE on any machine running the daemon.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @agentvox/host (npm). Pin to a known-safe version or switch to an alternative.