VDB
KO

MAL-2026-10729

Malicious code in channel-worker (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cb42c8663e71b69abd887afe5b53f3c9d57bb405dd9e8ec4954eb1bf9bb0c033) The package's runtime code implements a remote command-and-control agent rather than a normal library. bin/cli.js hardcodes the endpoint https://api.channel.tunasm.art and issues POST calls with host identifiers to that endpoint via fetch. lib/command-poller.js pairs child_process execution with GET/POST loops against a remote controller, taking command IDs from responses and executing OS commands (including ping) locally. lib/cache-server.js and lib/nst-manager.js reinforce the same shape: child_process combined with outbound POST and ping invocations to remote hosts. This is a poll-execute-report agent structure — installing or running this package registers the host with the operator of api.channel.tunasm.art and executes commands returned by that server, providing persistent remote access to the machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / channel-worker

No fixed version published yet for channel-worker (npm). Pin to a known-safe version or switch to an alternative.

References