@vibelet/cli @1.2.154
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10720
Ecosystem
npm
Summary
The @vibelet/cli package ships a daemon bundle (dist/index.cjs, invoked by the vibelet bin and by vibelet start / restart / reset ) that starts an HTTP+WebSocket server, spawns an interactive PTY running process.env.SHELL via node-pty, and pipes network-received 'input' and 'resize' messages into that PTY. By default the CLI provisions a public Cloudflare tunnel (trycloudflare.com, using the bundled cloudflared and ws dependencies) that fronts this endpoint, so any remote party that pairs with the daemon (or obtains the tunnel URL together with the short-lived pair token) can execute arbitrary commands in a full interactive shell on the installer's host. The daemon bundle is packed with obfuscator.io-style transforms (string-array dispatcher _0x9d44 , hex-encoded identifiers, control-flow flattening) rather than ordinary minification, which obscures the network-to-PTY path.
Source: amazon-inspector (3f3dc6503f9f63413994c6d0b2e19f22ebcf17f5e7ba9f713ce26ecf69c92c6c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.