OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10729 confirms this npm version as malicious. The package's runtime code implements a remote command-and-control agent rather than a normal library. bin/cli.js hardcodes the endpoint https://api.channel.tunasm.art and issues POST calls with host identifiers to that endpoint via fetch. lib/command-poller.js pairs child_process execution with GET/POST loops against a remote controller, taking command IDs from responses and executing OS commands (including ping)...
Advisory
MAL-2026-10729
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in channel-worker (npm)
Details
The package's runtime code implements a remote command-and-control agent rather than a normal library. bin/cli.js hardcodes the endpoint https://api.channel.tunasm.art and issues POST calls with host identifiers to that endpoint via fetch. lib/command-poller.js pairs child_process execution with GET/POST loops against a remote controller, taking command IDs from responses and executing OS commands (including ping) locally. lib/cache-server.js and lib/nst-manager.js reinforce the same shape: child_process combined with outbound POST and ping invocations to remote hosts. This is a poll-execute-report agent structure — installing or running this package registers the host with the operator of api.channel.tunasm.art and executes commands returned by that server, providing persistent remote access to the machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms channel-worker@2.5.39 as malicious (MAL-2026-10729): Malicious code in channel-worker (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory