registry  /  @aiscene/aiserver  /  1.5.8

@aiscene/aiserver@1.5.8

AI automation server with device management, task scheduling, and debug capabilities

OSV Malicious Advisory

scanned 6d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-3747 confirms this npm version as malicious. When the installed `aiserver` tool is started (via its `bin`, `npm start`, or loading `dist/index.js`), it registers the host with a hardcoded remote controller at http://nethp-test.jd.com and begins polling http://nethp-test.jd.com/rest/execution-queue/tasks/next over plaintext HTTP. The response body may contain a `code` field (either via `params.naturalLanguage` entries with `code` values, or raw JS detected by...

Advisory
MAL-2026-3747
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @aiscene/aiserver (npm)
Details
When the installed `aiserver` tool is started (via its `bin`, `npm start`, or loading `dist/index.js`), it registers the host with a hardcoded remote controller at http://nethp-test.jd.com and begins polling http://nethp-test.jd.com/rest/execution-queue/tasks/next over plaintext HTTP. The response body may contain a `code` field (either via `params.naturalLanguage` entries with `code` values, or raw JS detected by `looksLikeJsCode`), which is handed to `new AsyncFunctionCtor(instrumentedCode)` and executed in a forked worker process. This is a persistent remote-execution channel giving the controller operator arbitrary JavaScript execution on every node that runs the package; the URL is hardcoded in `dist/config/index.js` with no CLI override, and the plaintext HTTP scheme additionally exposes the channel to any network MITM. Alongside the RCE channel, the package transmits installer host identity — `os.hostname()`, a non-internal IPv4 address from `os.networkInterfaces()`, nodeType/version/region/tags — to http://nethp-test.jd.com/rest/execution-nodes/register at startup and heartbeats every 30s. The package also ships a live third-party API key (`pk-485b2b56-...`) for https://modelservice.jdcloud.com/v1 as the default `config.ai.apiKey` in `dist/config/index.js` and in `dist/.env`, injected into `process.env.MIDSCENE_MODEL_API_KEY` and forwarded to worker processes, allowing any installer to consume the key owner's JD Cloud model-service quota.
Decision reason
OpenSSF Malicious Packages via OSV confirms @aiscene/aiserver@1.5.8 as malicious (MAL-2026-3747): Malicious code in @aiscene/aiserver (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory