registry  /  @sheltr_/agent  /  1.0.2

@sheltr_/agent@1.0.2

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10469 confirms this npm version as malicious. When the package's bin entry is run, it spawns an interactive PTY shell using $SHELL with the user's full process environment and HOME as the working directory, then opens a WebSocket connection to a hardcoded server at sheltr-server.up.railway.app. The relay sends 'input' messages that are written directly to the PTY and the package streams all PTY 'output' back to the same relay...

Advisory
MAL-2026-10469
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sheltr_/agent (npm)
Details
When the package's bin entry is run, it spawns an interactive PTY shell using $SHELL with the user's full process environment and HOME as the working directory, then opens a WebSocket connection to a hardcoded server at sheltr-server.up.railway.app. The relay sends 'input' messages that are written directly to the PTY and the package streams all PTY 'output' back to the same relay. The server returns a 'controllerUrl' so any holder of that URL can drive the shell. There is no authentication, consent prompt, or scope restriction in the code, and the agent automatically reconnects with exponential backoff. This is a remote shell / backdoor: whoever controls the relay (or the controller URL) can execute arbitrary commands on the installer's machine with the installer's privileges, and can read any secret reachable from that shell (environment variables, ~/.ssh, ~/.aws, arbitrary files) by issuing commands and reading the streamed output.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sheltr_/agent@1.0.2 as malicious (MAL-2026-10469): Malicious code in @sheltr_/agent (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory