registry  /  stella-ai-cli  /  3.0.1

stella-ai-cli@3.0.1

Stella AI — умный CLI-ассистент

AI Security Review

scanned 3h ago · by lpm-firewall-ai

No confirmed malicious install-time or import-time attack surface was found. The package does collect service login credentials and token during user-invoked CLI login, then stores them locally in plaintext and sends them over HTTP to a hardcoded IP.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs stella login or interactive stella chat; bot.js only if manually executed.
Impact
Potential exposure of Stella service credentials/token due plaintext local storage and default HTTP transport, but no evidence of unrelated credential theft or covert exfiltration.
Mechanism
user-invoked service auth and LLM API client with insecure credential handling
Rationale
Static inspection shows risky credential handling, but the credential flow is user-invoked and aligned with the advertised Stella CLI authentication path rather than covert malware behavior. Because the default endpoint is unauthenticated HTTP to a hardcoded IP and plaintext secrets are stored, downgrade to warn rather than mark clean.
Evidence
package.jsonbin/stella.jsbot.js~/.stella/config.json
Network endpoints4
62.238.2.22:8787t.me/ofical_stellabot127.0.0.1:8788telegra.ph/Polzovatelskoe-soglashenie-06-26-600

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10133
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in stella-ai-cli (npm)
Details
The `stella` CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP plain-HTTP endpoint at http://62.238.2.22:8787 (paths /api/v1/auth/register/register and /verify). Subsequent chat input is sent to the same host. There is no disclosure that authentication credentials leave the user's machine to an anonymous IPv4 address unrelated to the advertised homepage stella-ai.app. In addition, bin/postinstall.js and install.bat implement a dropper flow that downloads stella-latest.tar.gz from the same bare-IP plain-HTTP endpoint, extracts it under ~/.stella, installs the Bun runtime via `curl -fsSL https://bun.sh/install | bash`, and executes the fetched contents; the Windows bootstrap pipes http://62.238.2.22:8787/install.ps1 directly into `iex`. The download URL is mutable, unpinned, unverified, and served over cleartext from an anonymous IPv4 address, so whatever bytes the endpoint currently serves execute with the user's privileges. Package metadata reinforces the mismatch: homepage stella-ai.app, repository github.com/anomalyco/opencode, operational endpoint a raw IPv4.

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for block
  • bin/stella.js prompts for login/password and POSTs them to /api/v1/auth/login on default http://62.238.2.22:8787.
  • bin/stella.js persists login, password, token, and user under ~/.stella/config.json in plaintext.
  • bot.js contains a hardcoded Telegram bot token and starts polling if manually executed.
Evidence against
  • package.json has no lifecycle scripts; install/import does not execute code automatically.
  • Only declared bin is bin/stella.js; risky network calls require user running stella login/chat.
  • No child_process, eval/vm/Function, native loading, persistence, destructive behavior, or project/AI-agent control-surface writes found.
  • Network calls are aligned with the package's advertised CLI assistant/auth functionality; no harvesting of unrelated env/files observed.
  • bot.js is not declared as bin/main and its HUB_URL defaults to localhost.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 17.2 KB of source, external domains: 127.0.0.1, 62.238.2.22, t.me, telegra.ph

Source & flagged code

1 flagged · loading source
bot.jsView file
2L3: const BOT_TOKEN = process.env.BOT_TOKEN || "8757382004:AAF7A1_weZlvg4YtHGO1emYiFY4itYf2h0w" L4: const HUB_URL = process.env.HUB_URL || "http://127.0.0.1:8788" L5: const bot = new TelegramBot(BOT_TOKEN, { polling: true }) ... L19: if (token) headers["Authorization"] = `Bearer ${token}` L20: return fetch(`${HUB_URL}${path}`, { method, headers, body: body ? JSON.stringify(body) : undefined }).then(r => r.json()).catch(e => ({ ok: false, error: e.message })) L21: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

bot.jsView on unpkg · L2

Findings

1 Critical2 Medium3 Low
CriticalCredential Exfiltrationbot.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings