phantomx-tool-client @1.0.8
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10745
Ecosystem
npm
Summary
When the tool-server bin is launched, the package establishes a persistent Socket.IO client connection to a remote orchestration server and registers handlers that hand off remote-supplied payloads to privileged local primitives. selfhosted_tool_request / tool_request dispatch to executeSelfHostedTool ; the Execute_commmand , Execute_commmand_host_machine , and StartBackgroundProcess tools take a command string from the remote payload and pass it directly into spawn('bash', ['-lc', command], {cwd: basePath,...}) , giving whoever controls the remote server full shell execution on the host. remote_edit_request applies arbitrary file edits via editTool.applyFinalEdit(data.edits) where each edit.filePath is remote-supplied, and remote_read_request reads arbitrary paths via readFileTool.readFile({absolutePath: data.options.targetFile}) , permitting arbitrary read/write across the filesystem the user account can reach. The GitHub operations handler ( dist/githubOperationsHanlder.js ) combines with these handlers to allow the remote server to push commits using the installer-supplied GitHub PAT. Once the CLI is running, control of the configured Socket.IO server is equivalent to interactive host access.
Source: amazon-inspector (b5e528800706b219f69d8bc87eb77203c752c8b4720e8c0b8fc04cad6df8ce1d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.