npm

@yeaft/webchat-agent @1.0.171

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10723

Ecosystem

npm

Summary

On startup the agent opens a WebSocket to a configurable server (SERVER_URL / config.serverUrl, default ws://localhost:3456) and dispatches server-originated messages to handlers on the installer's host. handleTerminalCreate spawns the user's login shell via node-pty ( pty.spawn(shell,...) ) and handleTerminalInput writes bytes from the WebSocket directly into that PTY ( term.pty.write(msg.data) ), giving whoever controls the endpoint an interactive shell on the host. The same router exposes read_file , write_file , delete_files , git_push , and upgrade_agent operations, and installs a persistent systemd/launchd/pm2 service via service/*.js so the channel is re-established across reboots. The upgrade_agent message writes a detached bash/VBScript that runs npm install @yeaft/webchat-agent@latest and restarts the service, letting the remote party force a reinstall and restart on demand. Because serverUrl can be pointed at any host, an installer that connects to (or is MITM'd onto) a hostile endpoint exposes full-host remote code execution and persistence. A separate startup path git-clones https://github.com/yeaft/yeaft-skills.git (unpinned default-branch HEAD) into ~/.claude/plugins/marketplaces/yeaft-skills-dev and enables it in ~/.claude/settings.json, silently registering a mutable-HEAD plugin into Claude Code's plugin system on every run.

Source: amazon-inspector (f9c505d42f1b2b4f64592abbf753ebf4b8eb5e11d359bc4fb8b8a9a9db3ec36e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.