VDB
KO

MAL-2026-10746

Malicious code in sakuraai (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d0910c3572d73bd98775851cb79032ba00dbceda2de969b25f04a7a7d1ddfe4e) When the daemon is started (e.g. via `sakura daemon start`), the package binds an HTTP+WebSocket server on 0.0.0.0 and additionally exposes it via a Tailscale sidecar. The WebSocket handler spawns an interactive OS shell (`process.env.SHELL || /bin/zsh` on Unix, `cmd.exe` on Windows) with the `-i` flag and pipes incoming WebSocket `{type:'input', data:...}` frames directly into the shell's stdin, streaming stdout/stderr back over the same socket (dist/index.js: `spawn(shell, ["-i"],...)`, `writeTerminal(ws, msg.data)`, `server.listen(port, host === "127.0.0.1"? "0.0.0.0": host,...)`). Any party with network reachability to the daemon — anyone on the LAN, or anyone with a valid bearer token over the Tailscale tailnet — obtains full-host command execution as the user running the daemon. A separate `postinstall` script (`scripts/download-tsnet.js`, `scripts/download-onboard.js`) fetches `sakura-tsnet` / `sakura-onboard` binaries from `https://github.com/Nishu0/sakura-tsnet/releases/download/v<version>/...` over HTTPS, pinned to the package version but without hash/signature verification; the publishing GitHub account (`Nishu0`) is a personal account rather than an organization matching the advertised `Sakura` / `sakura.mom` publisher identity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / sakuraai

No fixed version published yet for sakuraai (npm). Pin to a known-safe version or switch to an alternative.

References