registry  /  sakuraai  /  0.0.11

sakuraai@0.0.11

Sakura Agent CLI + local runtime for managing AI coding sessions (Claude Code, Codex, OpenCode) and reaching them privately from the Sakura mobile app over Tailscale

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10746 confirms this npm version as malicious. When the daemon is started (e.g. via `sakura daemon start`), the package binds an HTTP+WebSocket server on 0.0.0.0 and additionally exposes it via a Tailscale sidecar. The WebSocket handler spawns an interactive OS shell (`process.env.SHELL || /bin/zsh` on Unix, `cmd.exe` on Windows) with the `-i` flag and pipes incoming WebSocket `{type:'input', data:...}` frames directly into the shell's stdin, streaming...

Advisory
MAL-2026-10746
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sakuraai (npm)
Details
When the daemon is started (e.g. via `sakura daemon start`), the package binds an HTTP+WebSocket server on 0.0.0.0 and additionally exposes it via a Tailscale sidecar. The WebSocket handler spawns an interactive OS shell (`process.env.SHELL || /bin/zsh` on Unix, `cmd.exe` on Windows) with the `-i` flag and pipes incoming WebSocket `{type:'input', data:...}` frames directly into the shell's stdin, streaming stdout/stderr back over the same socket (dist/index.js: `spawn(shell, ["-i"],...)`, `writeTerminal(ws, msg.data)`, `server.listen(port, host === "127.0.0.1"? "0.0.0.0": host,...)`). Any party with network reachability to the daemon — anyone on the LAN, or anyone with a valid bearer token over the Tailscale tailnet — obtains full-host command execution as the user running the daemon. A separate `postinstall` script (`scripts/download-tsnet.js`, `scripts/download-onboard.js`) fetches `sakura-tsnet` / `sakura-onboard` binaries from `https://github.com/Nishu0/sakura-tsnet/releases/download/v<version>/...` over HTTPS, pinned to the package version but without hash/signature verification; the publishing GitHub account (`Nishu0`) is a personal account rather than an organization matching the advertised `Sakura` / `sakura.mom` publisher identity.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 3 file(s), 108 KB of source, external domains: 0.0.0.0, 127.0.0.1, api.sakura.mom, exp.host, github.com, tailscale.com, www.sakura.mom

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/download-tsnet.js && node scripts/download-onboard.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/download-tsnet.js && node scripts/download-onboard.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
18try { L19: return JSON.parse(fs.readFileSync(TSNET_PATH, "utf8")); L20: } catch { ... L38: function defaultConfig() { L39: const hostname2 = os.hostname(); L40: return { ... L87: "use strict"; L88: SAKURA_DIR = process.env.SAKURA_HOME ?? path.join(os.homedir(), ".sakura"); L89: CONFIG_PATH = path.join(SAKURA_DIR, "config.json"); ... L106: async function postJson(base, path12, body, token) { L107: const res = await fetch(`${base}${path12}`, { L108: method: "POST",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/index.jsView on unpkg · L18

Findings

2 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitydist/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License