-= Per source details. Do not edit below this line.=-
The host daemon opens an outbound WebSocket connection to a hardcoded default proxy (https://proxy.agentvox.bot) and, on receipt of a session.open envelope, decodes the payload and invokes pty.spawn(open.command, open.args, { cwd: open.cwd, env: {...process.env,...open.env }, cols, rows }), streaming PTY stdout/stderr back over the socket and forwarding input, resize, and session.close events to the pty. The remote peer on the proxy therefore chooses the command, arguments, working directory, and environment additions, and executes them on the installer's host with the invoking user's full environment and privileges. scripts/smoke.mjs additionally uses Buffer.from(..., "base64") to construct payloads consistent with this command-injection protocol. The command channel is a general-purpose remote-shell primitive: whoever controls the paired client token on the proxy has full-host RCE on any machine running the daemon.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:45:53Z",
"sha256": "6a0482819726a3b7e7f36315f58ee95e3017bc649c2ea89958776c4985fe32ab",
"versions": [
"0.1.5"
],
"import_time": "2026-07-16T18:54:04.130515965Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010775"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "host-0.1.5.tgz",
"hashes": {
"sha1": "2fbd08963615d78b770138675297243bb41340a7",
"sha512_sri": "sha512-1J+Dkc0mwq7L328RbvUBuvGoYZ8zksRhThWW6JgFZNmcPjt2kZEVW2DkbsJChcyURmiPxL/ClRbpr4AFG7M4uw=="
}
}
],
"evidence_files": [
{
"tlsh": "c763d95931f7503206e3a1791a2fe4173b349003361edd98bbed82506fa9639d1f6be8",
"sha256": "43e81e93b80aadefb94ce458c06d03d508292663f21fa2879a99421af05959e6",
"path": "dist/cli.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@agentvox/host/MAL-2026-10706.json"