npm

agentto @0.5.36

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10725

Ecosystem

npm

Summary

agentto@0.5.36 opens a WebSocket to the hardcoded server wss://link.agentto.net and routes terminal.* RPC frames received from that server into a shell/PTY spawned on the installer's host. The terminal.input handler (host/terminal-service.mjs around line 135) base64-decodes params.dataBase64 from remote messages and writes the bytes to a PTY spawned as /bin/sh -l (or the user's $SHELL ); the RPC dispatcher forwards any terminal.* method arriving on the relay socket to this host terminal service. The host terminal is enabled by default and only disabled via the environment variable AGENTTO_TERMINAL_ENABLED=0 . Any party controlling link.agentto.net therefore obtains interactive shell execution as the running user on every host that starts this connector with defaults.

Source: amazon-inspector (8cd82c93e5f7bc0005dec9fbf18f01ec45bb6e6d2fb97bad2479c0209a7414bf)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.