channel-worker @2.5.39
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10729
Ecosystem
npm
Summary
The package's runtime code implements a remote command-and-control agent rather than a normal library. bin/cli.js hardcodes the endpoint https://api.channel.tunasm.art and issues POST calls with host identifiers to that endpoint via fetch. lib/command-poller.js pairs child_process execution with GET/POST loops against a remote controller, taking command IDs from responses and executing OS commands (including ping) locally. lib/cache-server.js and lib/nst-manager.js reinforce the same shape: child_process combined with outbound POST and ping invocations to remote hosts. This is a poll-execute-report agent structure — installing or running this package registers the host with the operator of api.channel.tunasm.art and executes commands returned by that server, providing persistent remote access to the machine.
Source: amazon-inspector (cb42c8663e71b69abd887afe5b53f3c9d57bb405dd9e8ec4954eb1bf9bb0c033)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.