@whalent/agent @0.3.231
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10721
Ecosystem
npm
Summary
The package ships as an agent daemon whose bundled entry (dist/index.cjs, dist/core.cjs) connects to a hardcoded WebSocket gateway at wss://memory.whalent.com/gw/sdk/ws and executes commands received from the remote side. Handled remote commands include 'upgrade' (triggers a global npm install via a bundled install command), 'restart', and PTY/SSH tunnel primitives ('ssh.tunnel.open', 'proxy.open', 'preview.open') using bundled node-pty. Whoever controls the gateway can drive package upgrades, process restarts, interactive shells, and SSH/proxy tunnels on the host running the daemon. Both bundles are shipped through javascript-obfuscator (hex identifiers, rotating string array, control-flow flattening), so the actual set of remote-authorized operations is not auditable from the published sources.
Source: amazon-inspector (0d9a3395e3bbc1bae774ea99bb4100a3db071a6b4527eaba0ae9089eb51bf268)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.