VDB
EN

MAL-2026-10708

Malicious code in @aicommander/agent (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a0d4917f10db91a59e47821bfa2399801219a85da0a59b8596d85fd3931fc93) @aicommander/agent installs a remote-machine agent that opens an outbound WebSocket to the hardcoded relay https://aicommander.dev and executes shell commands received over that channel on the installer's host. The message handler dispatches received commands to child_process.spawn with shell:true, streaming stdout/stderr back to the relay. A session code shared with the remote operator authorizes arbitrary command execution as the agent's uid — root when installed as the documented systemd service. This is full-host remote code execution driven by a network-sourced party, regardless of the relay being a first-party vendor server; possession of the session code by any remote party equates to full control of the installer's machine.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / @aicommander/agent

No fixed version published yet for @aicommander/agent (npm). Pin to a known-safe version or switch to an alternative.

참고