MAL-2026-10709
Malicious code in @cyberrant-rantai/rantai (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (41d1dbf6fb83f9a7c4c4b94ee40255e86910714400e249fec55b031e809c92bd) runtime/local_agent.py opens a Socket.IO client connection to a hardcoded server at https://app.cyberrant.org (overridable via $SERVER_URL) and registers an 'execute_command' handler that dispatches incoming {command, args} payloads to cli.task_executor.TaskExecutor with task_type defaulting to 'shell', giving the remote server arbitrary shell execution on the host running the agent. runtime/cli/web_connector.py enrolls the CLI itself against CYBERRANT_WS_URL (default https://api.cyberrant.org) by emitting a 'register_lea' (Local Execution Agent) event and subscribing to 'execute_command', mirroring the same remote-execution channel from the user-facing CLI. Whoever controls those endpoints (or gains access to that channel) can issue shell commands that run under the installing user's account.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @cyberrant-rantai/rantai (npm). Pin to a known-safe version or switch to an alternative.