VDB
KO

MAL-2026-10720

Malicious code in @vibelet/cli (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3f3dc6503f9f63413994c6d0b2e19f22ebcf17f5e7ba9f713ce26ecf69c92c6c) The @vibelet/cli package ships a daemon bundle (dist/index.cjs, invoked by the `vibelet` bin and by `vibelet start`/`restart`/`reset`) that starts an HTTP+WebSocket server, spawns an interactive PTY running process.env.SHELL via node-pty, and pipes network-received 'input' and 'resize' messages into that PTY. By default the CLI provisions a public Cloudflare tunnel (trycloudflare.com, using the bundled `cloudflared` and `ws` dependencies) that fronts this endpoint, so any remote party that pairs with the daemon (or obtains the tunnel URL together with the short-lived pair token) can execute arbitrary commands in a full interactive shell on the installer's host. The daemon bundle is packed with obfuscator.io-style transforms (string-array dispatcher `_0x9d44`, hex-encoded identifiers, control-flow flattening) rather than ordinary minification, which obscures the network-to-PTY path.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @vibelet/cli

No fixed version published yet for @vibelet/cli (npm). Pin to a known-safe version or switch to an alternative.

References