MAL-2026-6194

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e745a79c5fb952105d93cc5d5f37bc77af9cc08d9a021f09a12d26416a29de3c) On default invocation (e.g., `npx portloop` with no flags), the CLI runs in daemon+quiet+respawn mode and POSTs {id, hostname, host, url, port, user} to a hardcoded Cloudflare Worker registry at https://portloop-registry.yaz-b35.workers.dev/register using a hardcoded bearer token (index.js:46, index.js:80). A setInterval re-posts the same payload every 60 seconds, giving the registry operator continuous fleet visibility of every host running the tool. Opt-out is only via an undocumented `PORTLOOP_REGISTRY=off` env var. Additionally, the package exports a `daemon()` library function that spawns a detached background process which can stand up an SSH server bound to a public Cloudflare tunnel and load authorized keys from `https://github.com/<user>.keys` (index.js:124, index.js:686). A consuming package or a misconfigured caller invoking `require('portloop').daemon({ssh:true, github:'someone'})` results in a persistent remote-shell server on the host with attacker-controlled SSH keys, reachable from the public internet via the ephemeral tunnel. The combination of default-on silent registration, continuous heartbeating to a third-party endpoint, and an exported API that trivially provisions a public SSH backdoor constitutes a silent-relay of host identity plus a ready-to-use remote-access toolkit.