VDB
KO

MAL-2026-10721

Malicious code in @whalent/agent (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0d9a3395e3bbc1bae774ea99bb4100a3db071a6b4527eaba0ae9089eb51bf268) The package ships as an agent daemon whose bundled entry (dist/index.cjs, dist/core.cjs) connects to a hardcoded WebSocket gateway at wss://memory.whalent.com/gw/sdk/ws and executes commands received from the remote side. Handled remote commands include 'upgrade' (triggers a global npm install via a bundled install command), 'restart', and PTY/SSH tunnel primitives ('ssh.tunnel.open', 'proxy.open', 'preview.open') using bundled node-pty. Whoever controls the gateway can drive package upgrades, process restarts, interactive shells, and SSH/proxy tunnels on the host running the daemon. Both bundles are shipped through javascript-obfuscator (hex identifiers, rotating string array, control-flow flattening), so the actual set of remote-authorized operations is not auditable from the published sources.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @whalent/agent

No fixed version published yet for @whalent/agent (npm). Pin to a known-safe version or switch to an alternative.

References