registry  /  aethereum  /  0.6.1

aethereum@0.6.1

The coordination layer for AI coding agents: contracts, intent, and collision alerts across machines.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `aethereum init`, then configured Claude hooks or hosted CLI commands run.
Impact
Can add package-owned MCP/hook configuration and send configured room events to its hosted service.
Mechanism
Explicit agent configuration plus authenticated hosted event synchronization.
Rationale
Source inspection contradicts the scanner's malicious conclusion: there is no install hook or concrete exfiltration chain. The explicit AI-agent configuration and runtime synchronization warrant a warning for capability review, not a block.
Evidence
package.jsondist/index.jsdist/cli/index.jsdist/chunk-CDPG6CHJ.js.mcp.json.claude/settings.json.codex/config.toml
Network endpoints2
www.aethereum.devregistry.npmjs.org/aethereum/latest

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/chunk-CDPG6CHJ.js` `runInit` wires MCP entries and Claude hooks.
  • `wireProject` writes project and some detected agent configuration files.
  • Claude hook commands invoke `aethereum hook ...` after explicit setup.
  • Hosted sync sends room events with a configured bearer token to the configured API.
Evidence against
  • `package.json` has only `prepublishOnly`; no install-time lifecycle hook.
  • CLI dispatch calls `runInit` only for the explicit `aethereum init` command.
  • Network defaults are package-aligned at `https://www.aethereum.dev`.
  • No confirmed credential harvesting, remote-code loading, or destructive behavior found.
  • The main library entrypoint only exports room/event APIs.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 27 file(s), 1.93 MB of source, external domains: 127.0.0.1, api.anthropic.com, beacon.claude-ai.staging.ant.dev, claude-staging.fedstart.com, claude.ai, claude.com, claude.fedstart.com, code.claude.com, docs.anthropic.com, docs.expo.dev, github.com, hooks.example.com, json-schema.org, json.schemastore.org, mcp-proxy.anthropic.com, opencode.ai, platform.claude.com, raw.githubusercontent.com, registry.npmjs.org, reviews.example.com, www.aethereum.dev

Source & flagged code

8 flagged · loading source
dist/chunk-CDPG6CHJ.jsView file
27} from "fs"; L28: import { execFileSync } from "child_process"; L29: import { join, resolve, basename } from "path";
High
Child Process

Package source references child process execution.

dist/chunk-CDPG6CHJ.jsView on unpkg · L27
27} from "fs"; L28: import { execFileSync } from "child_process"; L29: import { join, resolve, basename } from "path"; ... L49: try { L50: const j = await res.json(); L51: if (j?.error) detail = `: ${j.error}`; ... L75: async createAnonRoom(handle) { L76: const res = await this.send("/api/anon/room", { L77: method: "POST", ... L215: } L216: function printSplash(write = (s) => process.stdout.write(s), env = process.env, isTTY = Boolean(process.stdout.isTTY)) { L217: write(renderBanner(supportsColor(env, isTTY)) + "\n");
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/chunk-CDPG6CHJ.jsView on unpkg · L27
dist/sdk-5FRGHEGL.jsView file
4import { createRequire as $S } from "module"; L5: import { execFile as E6$ } from "child_process"; L6: import { randomUUID as rz } from "crypto"; ... L2049: Object.defineProperty(uj, "__esModule", { value: true }); L2050: var K6 = Q$(), Dd = { data: new K6.Name("data"), valCxt: new K6.Name("valCxt"), instancePath: new K6.Name("instancePath"), parentData: new K6.Name("parentData"), parentDataProperty... L2051: uj.default = Dd; ... L2641: function M(A) { L2642: let k = this.opts.uriResolver.resolve; L2643: if (A = D9(D ? k(D, A) : A), H.has(A)) throw V(A); ... L3384: } L3385: var Ir = Array.from({ length: 127 }, ($, Q) => /[^!"$&'()*+,\-.;=_`a-z{}~]/u.test(String.fromCharCode(Q))); L3386: function Rr($) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/sdk-5FRGHEGL.jsView on unpkg · L4
4Trigger-reachable chain: manifest.exports -> dist/claude/index.js -> dist/sdk-5FRGHEGL.js L4: import { createRequire as $S } from "module"; L5: import { execFile as E6$ } from "child_process"; L6: import { randomUUID as rz } from "crypto"; ... L2049: Object.defineProperty(uj, "__esModule", { value: true }); L2050: var K6 = Q$(), Dd = { data: new K6.Name("data"), valCxt: new K6.Name("valCxt"), instancePath: new K6.Name("instancePath"), parentData: new K6.Name("parentData"), parentDataProperty... L2051: uj.default = Dd; ... L2641: function M(A) { L2642: let k = this.opts.uriResolver.resolve; L2643: if (A = D9(D ? k(D, A) : A), H.has(A)) throw V(A); ... L3384: } L3385: var Ir = Array.from({ length: 127 }, ($, Q) => /[^!"$&'()*+,\-.;=_`a-z{}~]/u.test(String.fromCharCode(Q))); L3386: function Rr($) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/sdk-5FRGHEGL.jsView on unpkg · L4
22175var UF$ = _(() => pV.enum(eJ)); L22176: var _E = ["bash", "powershell"]; L22177: var $X = _(() => K.string().optional().describe('Permission rule syntax to filter when this hook runs (e.g., "Bash(git *)"). Only runs if the tool call matches the pattern. Avoids ...
High
Shell

Package source references shell execution.

dist/sdk-5FRGHEGL.jsView on unpkg · L22175
13581try { L13582: return new Function(""), true; L13583: } catch ($) {
High
Eval

Package source references dynamic code evaluation.

dist/sdk-5FRGHEGL.jsView on unpkg · L13581
4import { createRequire as $S } from "module"; L5: import { execFile as E6$ } from "child_process"; L6: import { randomUUID as rz } from "crypto"; ... L2049: Object.defineProperty(uj, "__esModule", { value: true }); L2050: var K6 = Q$(), Dd = { data: new K6.Name("data"), valCxt: new K6.Name("valCxt"), instancePath: new K6.Name("instancePath"), parentData: new K6.Name("parentData"), parentDataProperty... L2051: uj.default = Dd; ... L2641: function M(A) { L2642: let k = this.opts.uriResolver.resolve; L2643: if (A = D9(D ? k(D, A) : A), H.has(A)) throw V(A); ... L3384: } L3385: var Ir = Array.from({ length: 127 }, ($, Q) => /[^!"$&'()*+,\-.;=_`a-z{}~]/u.test(String.fromCharCode(Q))); L3386: function Rr($) {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/sdk-5FRGHEGL.jsView on unpkg · L4
dist/cli/index.jsView file
104// src/cli/serve.ts L105: import { createServer } from "http"; L106: import { spawn, execFileSync } from "child_process"; L107: import { randomUUID } from "crypto"; ... L115: var RETRY_SWEEP_MS = 15e3; L116: function createMirror(env = process.env, fetchImpl = fetch, opts = {}) { L117: const url = env.AETHEREUM_SYNC_API_URL;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L104

Findings

2 Critical5 High4 Medium5 Low
CriticalCredential Exfiltrationdist/sdk-5FRGHEGL.js
CriticalTrigger Reachable Dangerous Capabilitydist/sdk-5FRGHEGL.js
HighChild Processdist/chunk-CDPG6CHJ.js
HighShelldist/sdk-5FRGHEGL.js
HighEvaldist/sdk-5FRGHEGL.js
HighSame File Env Network Executiondist/cli/index.js
HighSandbox Evasion Gated Capabilitydist/chunk-CDPG6CHJ.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/sdk-5FRGHEGL.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings