@agentvox/host @0.1.5
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10706
Ecosystem
npm
Summary
The host daemon opens an outbound WebSocket connection to a hardcoded default proxy (https://proxy.agentvox.bot) and, on receipt of a session.open envelope, decodes the payload and invokes pty.spawn(open.command, open.args, { cwd: open.cwd, env: {...process.env,...open.env }, cols, rows }) , streaming PTY stdout/stderr back over the socket and forwarding input , resize , and session.close events to the pty. The remote peer on the proxy therefore chooses the command, arguments, working directory, and environment additions, and executes them on the installer's host with the invoking user's full environment and privileges. scripts/smoke.mjs additionally uses Buffer.from(..., "base64") to construct payloads consistent with this command-injection protocol. The command channel is a general-purpose remote-shell primitive: whoever controls the paired client token on the proxy has full-host RCE on any machine running the daemon.
Source: amazon-inspector (6a0482819726a3b7e7f36315f58ee95e3017bc649c2ea89958776c4985fe32ab)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.