registry  /  codeam-cli  /  2.61.1

codeam-cli@2.61.1

Workflow-continuity bridge for AI coding agents. Wrap Claude Code or Codex in a PTY and supervise, approve, and redirect the session from any device — async. The terminal companion for CodeAgent Mobile.

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10730 confirms this npm version as malicious. codeam-cli spawns a node-pty pseudo-terminal wrapping the local Claude Code / Codex agent process and connects outbound over WebSocket to a hardcoded relay at https://api.codeagent-mobile.com. Messages received from the remote relay are written into the local PTY via pty.write as if typed at the keyboard, meaning any party controlling the paired mobile/web session on that relay can inject arbitrary keystrokes into...

Advisory
MAL-2026-10730
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in codeam-cli (npm)
Details
codeam-cli spawns a node-pty pseudo-terminal wrapping the local Claude Code / Codex agent process and connects outbound over WebSocket to a hardcoded relay at https://api.codeagent-mobile.com. Messages received from the remote relay are written into the local PTY via pty.write as if typed at the keyboard, meaning any party controlling the paired mobile/web session on that relay can inject arbitrary keystrokes into the local agent shell. Because the wrapped agent has local tool access (shell commands, file read/write), this dataflow is functionally full-host remote code execution against the installer's machine, mediated by the vendor's relay. The README additionally documents a user-invoked self-hosted enrollment path that pipes https://api.codeagent-mobile.com/api/self-hosted/enroll.sh into sh with an enrollment token, standing up the same relay-driven agent (and a systemd service) on additional hosts; this fetch is from the package's own publisher domain and user-invoked, so it is not an install-time dropper on its own, but it extends the same remote-control plane. The bundle also mutates PATH in several locations in dist/index.js.
Decision reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
Manifest
WildcardDependency
scanned 15 file(s), 1.32 MB of source, external domains: 127.0.0.1, api.codeagent-mobile.com, api.github.com, api.kimi.com, astral.sh, auth.kimi.com, brew.sh, claude.ai, cli.coderabbit.ai, cli.github.com, code.kimi.com, codeagent-mobile.com, cursor.com, dev-api.codeagent-mobile.com, dev.azure.com, discord.gg, docs.gitlab.com, docs.railway.app, eu-assets.i.posthog.com, eu.i.posthog.com, github.com, gitlab.com, gitpod.io, posthog.com, raw.githubusercontent.com, registry.npmjs.org, sentry.io, status.anthropic.com, status.cloud.google.com, status.codeagent-mobile.com, status.cursor.com, status.openai.com, us-assets.i.posthog.com, us.i.posthog.com, www.codeagent-mobile.com, www.githubstatus.com, yandex.com

Source & flagged code

14 flagged · loading source
package.jsonView file
scripts.postinstall = node dist/postinstall.js || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node dist/postinstall.js || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = codeam-cli@2.53.0 matchedIdentity = npm:Y29kZWFtLWNsaQ:2.53.0 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
6092// src/lib/git-branch.ts L6093: var import_child_process = require("child_process"); L6094: function detectCurrentBranch(cwd = process.cwd()) {
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L6092
8431if (process.platform === "win32") { L8432: return process.env.COMSPEC ?? "powershell.exe"; L8433: }
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L8431
6081process.stderr.write( L6082: "\n codeam-cli sends anonymous + identified usage events to PostHog\n (same project as the mobile + web apps). Opt out at any time:\n export CODEAM_TELEMETRY=0\n See https://... L6083: ); ... L6087: function vercelBypassHeader() { L6088: const token = process.env.CODEAM_VERCEL_BYPASS; L6089: return token ? { "x-vercel-protection-bypass": token } : {}; ... L6092: // src/lib/git-branch.ts L6093: var import_child_process = require("child_process"); L6094: function detectCurrentBranch(cwd = process.cwd()) {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/index.jsView on unpkg · L6081
6080} L6081: process.stderr.write( L6082: "\n codeam-cli sends anonymous + identified usage events to PostHog\n (same project as the mobile + web apps). Opt out at any time:\n export CODEAM_TELEMETRY=0\n See https://... L6083: ); ... L6092: // src/lib/git-branch.ts L6093: var import_child_process = require("child_process"); L6094: function detectCurrentBranch(cwd = process.cwd()) {
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/index.jsView on unpkg · L6080
403// fully documented, no reverse-engineering. OAuth `/login` (login-state at L404: // ~/.kimi-code/credentials/<name>.json, base https://api.kimi.com/coding/) L405: // is declared so it can land later without a wire change, but capturing ... L887: L888: Read package.json, Procfile, Dockerfile, docker-compose.yml, manage.py, app.json, L889: mix.exs, Cargo.toml, go.mod, requirements.txt, Gemfile, and any other framework ... L891: L892: Return ONLY a JSON object on stdout (no prose, no markdown fences): L893: ... L946: function currentLevel() { L947: if (process.env.CODEAM_DEBUG === "1") return LEVELS.trace; L948: const raw = (process.env.CODEAM_LOG ?? "error").toLowerCase();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L403
758var DEV_API_BASE_URL = "https://dev-api.codeagent-mobile.com"; L759: function resolveApiBaseUrl() { L760: const env = globalThis.process?.env; ... L1014: const tmp = `${debugFilePath}.${process.pid}.tmp`; L1015: fs.writeFileSync(tmp, header); L1016: fs.renameSync(tmp, debugFilePath); ... L6092: // src/lib/git-branch.ts L6093: var import_child_process = require("child_process"); L6094: function detectCurrentBranch(cwd = process.cwd()) {
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/index.jsView on unpkg · L758
7543package = codeam-cli; repositoryIdentity = codeagent-mobile-clients; dependency = chokidar L7543: try { L7544: return require("chokidar"); L7545: } catch {
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

dist/index.jsView on unpkg · L7543
11648fs11.writeFileSync(this.helperPath, PYTHON_PTY_HELPER, { mode: 420 }); L11649: this.proc = (0, import_child_process7.spawn)(python, [this.helperPath, cmd, ...args2], { L11650: stdio: ["pipe", "pipe", "inherit"], ... L11663: \u2717 Failed to launch Claude Code: ${err.message} L11664: Make sure claude is correctly installed: npm install -g @anthropic-ai/claude-code L11665: `
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

dist/index.jsView on unpkg · L11648
8var __hasOwnProp = Object.prototype.hasOwnProperty; L9: var __commonJS = (cb, mod) => function __require() { L10: return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/index.jsView on unpkg · L8
403// fully documented, no reverse-engineering. OAuth `/login` (login-state at L404: // ~/.kimi-code/credentials/<name>.json, base https://api.kimi.com/coding/) L405: // is declared so it can land later without a wire change, but capturing ... L887: L888: Read package.json, Procfile, Dockerfile, docker-compose.yml, manage.py, app.json, L889: mix.exs, Cargo.toml, go.mod, requirements.txt, Gemfile, and any other framework ... L891: L892: Return ONLY a JSON object on stdout (no prose, no markdown fences): L893: ... L946: function currentLevel() { L947: if (process.env.CODEAM_DEBUG === "1") return LEVELS.trace; L948: const raw = (process.env.CODEAM_LOG ?? "error").toLowerCase();
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.jsView on unpkg · L403
dist/vendor/node-pty/prebuilds/win32-arm64/pty.nodeView file
path = dist/vendor/node-pty/prebuilds/win32-arm64/pty.node kind = native_binary sizeBytes = 293376 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

dist/vendor/node-pty/prebuilds/win32-arm64/pty.nodeView on unpkg

Findings

1 Critical9 High8 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShelldist/index.js
HighSame File Env Network Executiondist/index.js
HighCommand Output Exfiltrationdist/index.js
HighSandbox Evasion Gated Capabilitydist/index.js
HighRemote Agent Bridgedist/index.js
HighCopied Package Dependency Bridgedist/index.js
HighRuntime Package Installdist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.js
MediumShips Native Binarydist/vendor/node-pty/prebuilds/win32-arm64/pty.node
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings