registry  /  @thenewlabs/locus-server  /  0.3.12

@thenewlabs/locus-server@0.3.12

One-command self-contained Locus server: hosted workbench SPA + preview origin + entangle blind relay on a single port

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Explicitly running the CLI opens a WebSocket relay for registered agents and capability holders. The bundled protocol supports command and PTY request frames, creating a remote execution control surface when deployed.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `locus-server` and exposes the configured HTTP/WebSocket listener.
Impact
An exposed or leaked capability can permit remote command/terminal control through a connected agent; no autonomous install-time behavior is present.
Mechanism
Capability-ID WebSocket relay forwarding command/PTY protocol frames to agents.
Rationale
Source inspection shows an intentional but high-risk remote agent command/PTY relay, with no evidence of covert execution, exfiltration, persistence, or lifecycle abuse. Warn for dangerous capability and exposed-control-surface risk rather than block as malicious.
Evidence
package.jsondist/cli.jsdist/relay.jsdist/entangle-client.jsweb/sw.jsweb/assets/html.worker-B3Ztmmz2.js.mapweb/assets/html.worker-B3Ztmmz2.js
Network endpoints2
/agent/register/relay/<capId>

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `dist/relay.js` exposes WebSocket routes `/agent/register` and `/relay/<capId>`.
  • `dist/relay.js` forwards arbitrary binary invoker frames to the agent owning a capability.
  • `dist/relay.js` protocol accepts `cmd`/`pty` modes with an `argv`, cwd, and env.
  • `dist/relay.js` defaults `AGENT_SHELL` and `SPAWN_SANDBOX` to `/bin/bash` and `none`.
  • `/relay/<capId>` does not perform separate invoker authentication; access relies on capability IDs.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall`; only `prepublishOnly`.
  • `dist/cli.js` starts the server only after an explicit `locus-server` invocation.
  • No credential harvesting, file-write, destructive, or AI-agent config mutation was found.
  • `web/sw.js` is a same-origin preview relay service worker, not an install-time payload.
  • The hinted HTML worker maps to Monaco editor sources; no bidi controls were found.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 95 file(s), 5.64 MB of source, external domains: bugzilla.mozilla.org, code.google.com, developer.mozilla.org, developers.google.com, drafts.csswg.org, en.wikipedia.org, git.new, github.com, googlechrome.github.io, hacks.mozilla.org, help.yahoo.com, html.spec.whatwg.org, locus.example.com, r12a.github.io, react.dev, sass-lang.com, schema.org, stackoverflow.com, support.google.com, tools.ietf.org, wiki.whatwg.org, www.apache.org, www.bing.com, www.dmoz.org, www.iana.org, www.ietf.org, www.w3.org, www.whatwg.org
Oversized source lightweight scan
web/assets/index-Bh4-HEEB.js4.09 MB file, sampled 256 KB
NetworkChildProcessObfuscatedHighEntropyStringsMinifiedUrlStringsreact.devwww.w3.org
web/assets/ts.worker-0mEyHVru.js5.64 MB file, sampled 256 KB
FilesystemNetworkUrlStringswww.apache.org

Source & flagged code

9 flagged · loading source
dist/relay.jsView file
28503import { EventEmitter } from "node:events"; L28504: import childProcess from "node:child_process"; L28505: import path from "node:path";
High
Child Process

Package source references child process execution.

dist/relay.jsView on unpkg · L28503
30318} L30319: const execArgv = process2.execArgv ?? []; L30320: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/relay.jsView on unpkg · L30318
180Cross-file remote execution chain: dist/relay.js spawns dist/entangle-client.js; helper contains network access plus dynamic code execution. L180: for (let i = 0; i < namespace.length; i++) { L181: hash = (hash << 5) - hash + namespace.charCodeAt(i); L182: hash |= 0; ... L439: let m; L440: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L441: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31? ... L484: if (!r && typeof process !== "undefined" && "env" in process) { L485: r = process.env.DEBUG; L486: } ... L570: } L571: if (process.platform === "win32") { L572: const osRelease = os.release().split(".");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/relay.jsView on unpkg · L180
2import { createRequire as __lsCreateRequire } from 'module'; L3: const require = __lsCreateRequire(import.meta.url); L4: var __create = Object.create;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/relay.jsView on unpkg · L2
1026site.name = fn.name; L1027: var deprecatedfn = new Function( L1028: "fn",
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/relay.jsView on unpkg · L1026
180for (let i = 0; i < namespace.length; i++) { L181: hash = (hash << 5) - hash + namespace.charCodeAt(i); L182: hash |= 0; ... L439: let m; L440: return typeof document !== "undefined" && document.documentElement && document.documentElement.style && document.documentElement.style.WebkitAppearance || // Is firebug? http://sta... L441: typeof window !== "undefined" && window.console && (window.console.firebug || window.console.exception && window.console.table) || // Is firefox >= v31? ... L484: if (!r && typeof process !== "undefined" && "env" in process) { L485: r = process.env.DEBUG; L486: } ... L570: } L571: if (process.platform === "win32") { L572: const osRelease = os.release().split(".");
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/relay.jsView on unpkg · L180
web/assets/html.worker-B3Ztmmz2.jsView file
22contains invisible/control Unicode U+2060 (word joiner) `,"nexist;":`∄`,"nexists;":`∄`,"Nfr;":`𝔑`,"nfr;":`𝔫`,"ngE;":`≧̸`,"nge;":`≱`,"ngeq;":`≱`,"ngeqq;":`≧̸`,"ngeqslant;":`⩾̸`,"nges;":`⩾̸`,"nGg;":`⋙̸`,"ngsim;":`≵`,"nGt;":`≫⃒`,"ngt;":`≯`,"ngtr;":`≯`,"nGtv;":`≫̸`,"nhArr;":`⇎`,"nharr;":`↮`,"nhpar;"
Critical
Trojan Source Unicode

Source contains bidi control or invisible Unicode characters associated with Trojan Source attacks.

web/assets/html.worker-B3Ztmmz2.jsView on unpkg · L22
web/assets/ts.worker-0mEyHVru.jsView file
path = web/assets/ts.worker-0mEyHVru.js kind = oversized_source_file sizeBytes = 5915668 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

web/assets/ts.worker-0mEyHVru.jsView on unpkg
web/sw.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @thenewlabs/locus-server@0.3.10 matchedIdentity = npm:[redacted]:0.3.10 similarity = 0.989 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

web/sw.jsView on unpkg

Findings

2 Critical4 High4 Medium8 Low
CriticalTrojan Source Unicodeweb/assets/html.worker-B3Ztmmz2.js
CriticalPrevious Version Dangerous Deltaweb/sw.js
HighChild Processdist/relay.js
HighShelldist/relay.js
HighCross File Remote Execution Contextdist/relay.js
HighOversized Source Fileweb/assets/ts.worker-0mEyHVru.js
MediumDynamic Requiredist/relay.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowEvaldist/relay.js
LowWeak Cryptodist/relay.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings