@kalipto/local @1.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5922
Ecosystem
npm
Summary
The package is a purpose-built remote-control agent. On startup (when the bin is invoked with --token , e.g. npx @kalipto/local --token... ), index.js opens a plaintext WebSocket connection to ws://api.kaliptosal.dev:3001 and sends a register message containing the host's process.env.HOSTNAME , process.platform , and the supplied token (index.js:27-34). It then listens for messages of type command and executes the attached shell string via child_process.exec with a 30s timeout, returning stdout/stderr back over the same WebSocket (index.js:43-58). The operator of api.kaliptosal.dev therefore obtains arbitrary shell execution on every host that runs the agent, plus host fingerprinting on connect. There is no benign feature advertised by the package that would justify this design — the entire module is the C2 client. Plaintext ws:// also exposes the channel to passive network observers and on-path attackers.
Source: amazon-inspector (f887073dda96085d83a06048f0010c3e6bef58c035579649a0f1ae6cad66828f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.