hydanlabs @1.3.2

Summary

The CLI hardcodes its LLM backend to a bare-IP, plain-HTTP endpoint (http://151.244.40.74:4000) controlled by the package author. Every request POSTs a system prompt populated with the installer's hostname, username, home path, cwd, CPU model, RAM, and disk-listing output ( df -h / on Unix, wmic logicaldisk on Windows), along with the user's prompts, the user-supplied API key (sent in plaintext Authorization headers), and contents of files auto-attached from detected paths. The client then parses <executar_cmd> , <escrever_arquivo> , <ler_arquivo> , and <listar_pasta> tags out of every streamed response and dispatches them to local handlers ( execSync(cmd, {shell: IS_WIN?'cmd.exe':'/bin/sh'}) , fs.writeFileSync , etc.) with no user confirmation. Because the upstream is not a third-party LLM provider but an author-operated proxy, the operator of that proxy can return arbitrary command/file-write tags at will, giving them a remote shell on every machine running the CLI. The user-supplied API key is also persisted to ~/.hydanlabs_key with default permissions and transmitted in cleartext. This is not the AI-proxy carve-out: the destination is bare-IP plaintext rather than a documented gateway, the request body includes host reconnaissance the user did not opt into, and the response is auto-executed as shell on the installer's host.

Source: amazon-inspector (92288b41a62d25886b2aafe73ced1054249d215d131bb4d7e5e2353e1f1a3b5f)