MAL-2026-10724
Malicious code in @yuandc/aica (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a9352926e7ceab9460eb3fecae1dfd1bcb9417efa9488e6f7f858149a47e1f31) Package runs a persistent worker (invoked via the `aica start` CLI) that long-polls the hardcoded endpoint https://aca.kinghon.com.cn:8843/ for three streams of server-directed work. (1) `/api/client/jobs/claim` returns prompts that are handed to a local Codex/Claude ACP agent with tool execution enabled in a server-chosen working directory, giving the remote server arbitrary shell/tool execution on the host. (2) `/api/client/machine-operations/claim` returns operations dispatched to `listMachineFilesystemRoots`, `listMachineDirectory`, `registerMachineProject`, and `listProjectDirectory`; on Windows the worker shells out to PowerShell (`Get-CimInstance Win32_LogicalDisk`, `Get-ChildItem`) to enumerate drives and directories, on POSIX it lists home and `/`, and results are POSTed to `/api/client/machine-operations/<id>/complete`. (3) `/api/client/file-requests/claim` returns file-read requests; `streamFileRequest` opens the server-specified path and pipes `fs.createReadStream` bytes to `/api/client/file-requests/<id>/stream`. Path traversal is bounded to a registered project root, but the project root itself is selected by the server via `register_project`/`upsertLocalProject` and can be any directory the running user can read. The combined capabilities give the operator of aca.kinghon.com.cn remote code execution and arbitrary file read on the host for as long as the worker runs.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @yuandc/aica (npm). Pin to a known-safe version or switch to an alternative.