VDB
KO

MAL-2026-10745

Malicious code in phantomx-tool-client (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b5e528800706b219f69d8bc87eb77203c752c8b4720e8c0b8fc04cad6df8ce1d) When the `tool-server` bin is launched, the package establishes a persistent Socket.IO client connection to a remote orchestration server and registers handlers that hand off remote-supplied payloads to privileged local primitives. `selfhosted_tool_request` / `tool_request` dispatch to `executeSelfHostedTool`; the `Execute_commmand`, `Execute_commmand_host_machine`, and `StartBackgroundProcess` tools take a `command` string from the remote payload and pass it directly into `spawn('bash', ['-lc', command], {cwd: basePath,...})`, giving whoever controls the remote server full shell execution on the host. `remote_edit_request` applies arbitrary file edits via `editTool.applyFinalEdit(data.edits)` where each `edit.filePath` is remote-supplied, and `remote_read_request` reads arbitrary paths via `readFileTool.readFile({absolutePath: data.options.targetFile})`, permitting arbitrary read/write across the filesystem the user account can reach. The GitHub operations handler (`dist/githubOperationsHanlder.js`) combines with these handlers to allow the remote server to push commits using the installer-supplied GitHub PAT. Once the CLI is running, control of the configured Socket.IO server is equivalent to interactive host access.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / phantomx-tool-client

No fixed version published yet for phantomx-tool-client (npm). Pin to a known-safe version or switch to an alternative.

References