@aicommander/agent @1.0.34
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10708
Ecosystem
npm
Summary
@aicommander/agent installs a remote-machine agent that opens an outbound WebSocket to the hardcoded relay https://aicommander.dev and executes shell commands received over that channel on the installer's host. The message handler dispatches received commands to child_process.spawn with shell:true, streaming stdout/stderr back to the relay. A session code shared with the remote operator authorizes arbitrary command execution as the agent's uid — root when installed as the documented systemd service. This is full-host remote code execution driven by a network-sourced party, regardless of the relay being a first-party vendor server; possession of the session code by any remote party equates to full control of the installer's machine.
Source: amazon-inspector (9a0d4917f10db91a59e47821bfa2399801219a85da0a59b8596d85fd3931fc93)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.