VDB
KO

MAL-2026-10725

Malicious code in agentto (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8cd82c93e5f7bc0005dec9fbf18f01ec45bb6e6d2fb97bad2479c0209a7414bf) agentto@0.5.36 opens a WebSocket to the hardcoded server wss://link.agentto.net and routes `terminal.*` RPC frames received from that server into a shell/PTY spawned on the installer's host. The `terminal.input` handler (host/terminal-service.mjs around line 135) base64-decodes `params.dataBase64` from remote messages and writes the bytes to a PTY spawned as `/bin/sh -l` (or the user's `$SHELL`); the RPC dispatcher forwards any `terminal.*` method arriving on the relay socket to this host terminal service. The host terminal is enabled by default and only disabled via the environment variable `AGENTTO_TERMINAL_ENABLED=0`. Any party controlling link.agentto.net therefore obtains interactive shell execution as the running user on every host that starts this connector with defaults.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / agentto

No fixed version published yet for agentto (npm). Pin to a known-safe version or switch to an alternative.

References