MAL-2026-10706

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@agentvox/host/MAL-2026-10706.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10706
Published
2026-07-16T18:45:53Z
Modified
2026-07-16T19:19:54.089410699Z
Summary
Malicious code in @agentvox/host (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6a0482819726a3b7e7f36315f58ee95e3017bc649c2ea89958776c4985fe32ab)

The host daemon opens an outbound WebSocket connection to a hardcoded default proxy (https://proxy.agentvox.bot) and, on receipt of a session.open envelope, decodes the payload and invokes pty.spawn(open.command, open.args, { cwd: open.cwd, env: {...process.env,...open.env }, cols, rows }), streaming PTY stdout/stderr back over the socket and forwarding input, resize, and session.close events to the pty. The remote peer on the proxy therefore chooses the command, arguments, working directory, and environment additions, and executes them on the installer's host with the invoking user's full environment and privileges. scripts/smoke.mjs additionally uses Buffer.from(..., "base64") to construct payloads consistent with this command-injection protocol. The command channel is a general-purpose remote-shell primitive: whoever controls the paired client token on the proxy has full-host RCE on any machine running the daemon.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:45:53Z",
            "sha256": "6a0482819726a3b7e7f36315f58ee95e3017bc649c2ea89958776c4985fe32ab",
            "versions": [
                "0.1.5"
            ],
            "import_time": "2026-07-16T18:54:04.130515965Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010775"
        }
    ]
}
References
Credits

Affected packages

npm / @agentvox/host

Package

Name
@agentvox/host
View open source insights on deps.dev
Purl
pkg:npm/%40agentvox/host

Affected ranges

Affected versions

0.*
0.1.5

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "host-0.1.5.tgz",
            "hashes": {
                "sha1": "2fbd08963615d78b770138675297243bb41340a7",
                "sha512_sri": "sha512-1J+Dkc0mwq7L328RbvUBuvGoYZ8zksRhThWW6JgFZNmcPjt2kZEVW2DkbsJChcyURmiPxL/ClRbpr4AFG7M4uw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "c763d95931f7503206e3a1791a2fe4173b349003361edd98bbed82506fa9639d1f6be8",
            "sha256": "43e81e93b80aadefb94ce458c06d03d508292663f21fa2879a99421af05959e6",
            "path": "dist/cli.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@agentvox/host/MAL-2026-10706.json"