MAL-2026-10708
Malicious code in @aicommander/agent (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9a0d4917f10db91a59e47821bfa2399801219a85da0a59b8596d85fd3931fc93) @aicommander/agent installs a remote-machine agent that opens an outbound WebSocket to the hardcoded relay https://aicommander.dev and executes shell commands received over that channel on the installer's host. The message handler dispatches received commands to child_process.spawn with shell:true, streaming stdout/stderr back to the relay. A session code shared with the remote operator authorizes arbitrary command execution as the agent's uid — root when installed as the documented systemd service. This is full-host remote code execution driven by a network-sourced party, regardless of the relay being a first-party vendor server; possession of the session code by any remote party equates to full control of the installer's machine.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @aicommander/agent (npm). Pin to a known-safe version or switch to an alternative.