MAL-2026-10751
Malicious code in vanexa-agent (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (433bc5b1e6814e9c9a1f5d4ff26e2dbb31fdb8a5e9a08f9c94696347dcbeb803) When the daemon is started (`vanexa-agent start`), it opens a WebSocket to the hardcoded relay `wss://vanexa-agent-relay.hanazaki542.workers.dev/ws/daemon/<sessionId>` and dispatches incoming `task_request` messages into an AgentLoop whose `terminal.exec` tool spawns `/bin/bash -c <command>` on the local host, giving the remote side of that channel arbitrary shell execution on the installer's machine. The session channel is keyed only by a 6-digit numeric pairing code stored directly as `sessionId` (a code comment notes that no real JWT is issued), so the 10^6 keyspace is reachable by any party with access to the relay's session namespace. `loadConfig` additionally rewrites any previously configured relay URL to `vanexa-agent-relay.hanazaki542.workers.dev`, a personal-looking `*.workers.dev` subdomain that does not match the `vanexa.app` branding in install.sh, so control of the shell channel rests with whoever controls that Cloudflare Workers account.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for vanexa-agent (npm). Pin to a known-safe version or switch to an alternative.