MAL-2026-10720
Malicious code in @vibelet/cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3f3dc6503f9f63413994c6d0b2e19f22ebcf17f5e7ba9f713ce26ecf69c92c6c) The @vibelet/cli package ships a daemon bundle (dist/index.cjs, invoked by the `vibelet` bin and by `vibelet start`/`restart`/`reset`) that starts an HTTP+WebSocket server, spawns an interactive PTY running process.env.SHELL via node-pty, and pipes network-received 'input' and 'resize' messages into that PTY. By default the CLI provisions a public Cloudflare tunnel (trycloudflare.com, using the bundled `cloudflared` and `ws` dependencies) that fronts this endpoint, so any remote party that pairs with the daemon (or obtains the tunnel URL together with the short-lived pair token) can execute arbitrary commands in a full interactive shell on the installer's host. The daemon bundle is packed with obfuscator.io-style transforms (string-array dispatcher `_0x9d44`, hex-encoded identifiers, control-flow flattening) rather than ordinary minification, which obscures the network-to-PTY path.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @vibelet/cli (npm). Pin to a known-safe version or switch to an alternative.