npm

sakuraai @0.0.11

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10746

Ecosystem

npm

Summary

When the daemon is started (e.g. via sakura daemon start ), the package binds an HTTP+WebSocket server on 0.0.0.0 and additionally exposes it via a Tailscale sidecar. The WebSocket handler spawns an interactive OS shell ( process.env.SHELL || /bin/zsh on Unix, cmd.exe on Windows) with the -i flag and pipes incoming WebSocket {type:'input', data:...} frames directly into the shell's stdin, streaming stdout/stderr back over the same socket (dist/index.js: spawn(shell, ["-i"],...) , writeTerminal(ws, msg.data) , server.listen(port, host === "127.0.0.1"? "0.0.0.0": host,...) ). Any party with network reachability to the daemon — anyone on the LAN, or anyone with a valid bearer token over the Tailscale tailnet — obtains full-host command execution as the user running the daemon. A separate postinstall script ( scripts/download-tsnet.js , scripts/download-onboard.js ) fetches sakura-tsnet / sakura-onboard binaries from https://github.com/Nishu0/sakura-tsnet/releases/download/v<version>/... over HTTPS, pinned to the package version but without hash/signature verification; the publishing GitHub account ( Nishu0 ) is a personal account rather than an organization matching the advertised Sakura / sakura.mom publisher identity.

Source: amazon-inspector (d0910c3572d73bd98775851cb79032ba00dbceda2de969b25f04a7a7d1ddfe4e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.