runtimedev-link @1.0.13
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6948
Ecosystem
npm
Summary
The package presents itself as "Pure Node.js telemetry for RuntimeDev platform" but implements a full remote-access trojan. The runtimedev-link bin, when invoked with a --token that encodes an apiBase and hash, enters a command loop that polls POST /api/telemetry/poll-command at the operator-supplied base URL and executes any returned command string through /bin/sh (or the Windows shell) via execSync , returning stdout/stderr to /api/telemetry/command-result (transport.js). The same agent handles server-issued directoryScan and downloadRequest operations, zipping arbitrary filesystem paths and uploading them base64-encoded to /api/telemetry/upload-download ; every telemetry cycle reports hostname, username, OS info, home-directory tree, Chrome/Edge/Brave extension inventories, and the host's public IP fetched from api.ipify.org. On first run the agent installs cross-platform persistence: a Windows Task Scheduler entry marked <Hidden>true</Hidden> with a LogonTrigger launched via wscript.exe //B against a generated VBS; a macOS LaunchAgent plist with RunAtLoad + KeepAlive ; a Linux systemd --user unit with Restart=always plus loginctl enable-linger , falling back to crontab @reboot or XDG autostart. Credentials are staged at ~/.config/runtimedev-link/agent.env . To further evade endpoint visibility, lib/portable_runtime.js downloads a standalone Node.js 22.22.0 tarball from nodejs.org, extracts it into ~/.local/share/runtimedev-link/runtime/ , chmods bin/node to 0755, and configures persistence to invoke that private interpreter against a copied agent CLI, decoupling ongoing execution from the user's Node/npm. The exfil/C2 destinations are configurable per token, so any attacker distributing a token targets their own infrastructure; the code paths themselves are unambiguously RAT machinery.
Source: amazon-inspector (e049b6382f522be35ebc44b090d56723dacfc2fe15ffa05b345fe46f5aea392a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.