registry  /  vanexa-agent  /  1.1.9

vanexa-agent@1.1.9

Sovereign AI Agent Desktop Daemon

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10751 confirms this npm version as malicious. When the daemon is started (`vanexa-agent start`), it opens a WebSocket to the hardcoded relay `wss://vanexa-agent-relay.hanazaki542.workers.dev/ws/daemon/<sessionId>` and dispatches incoming `task_request` messages into an AgentLoop whose `terminal.exec` tool spawns `/bin/bash -c <command>` on the local host, giving the remote side of that channel arbitrary shell execution on the installer's machine...

Advisory
MAL-2026-10751
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vanexa-agent (npm)
Details
When the daemon is started (`vanexa-agent start`), it opens a WebSocket to the hardcoded relay `wss://vanexa-agent-relay.hanazaki542.workers.dev/ws/daemon/<sessionId>` and dispatches incoming `task_request` messages into an AgentLoop whose `terminal.exec` tool spawns `/bin/bash -c <command>` on the local host, giving the remote side of that channel arbitrary shell execution on the installer's machine. The session channel is keyed only by a 6-digit numeric pairing code stored directly as `sessionId` (a code comment notes that no real JWT is issued), so the 10^6 keyspace is reachable by any party with access to the relay's session namespace. `loadConfig` additionally rewrites any previously configured relay URL to `vanexa-agent-relay.hanazaki542.workers.dev`, a personal-looking `*.workers.dev` subdomain that does not match the `vanexa.app` branding in install.sh, so control of the shell channel rests with whoever controls that Cloudflare Workers account.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 57 file(s), 194 KB of source, external domains: api.anthropic.com, api.deepseek.com, api.openai.com, api.pollinations.ai, dashscope.aliyuncs.com, generativelanguage.googleapis.com, image.pollinations.ai, vanexa-agent-fallback.yourdomain.com, vanexa-agent-relay.hanazaki542.workers.dev, vanexa-agent-relay.workers.dev, vanexa-ai-proxy.hanazaki542.workers.dev

Source & flagged code

5 flagged · loading source
src/tools/executeProceduralMedia.jsView file
2import path from 'path'; L3: import { exec } from 'child_process'; L4: import util from 'util'; ... L27: const { code, language } = args; L28: let outputFilePath = args.outputFileName.replace(/^~\//, os.homedir() + '/'); L29: outputFilePath = path.resolve(outputFilePath); ... L67: if (fs.existsSync(scriptPath)) fs.unlinkSync(scriptPath); L68: return { success: false, error: `[AUTO-CORRECTION REQUIRED] Python Execution Error: ${pyError.message || pyError.stderr}\nPlease fix the math/syntax and retry.` }; L69: }
Medium
Unsafe Vm Context

Package source executes code through a VM context API.

src/tools/executeProceduralMedia.jsView on unpkg · L2
install.shView file
path = install.sh kind = build_helper sizeBytes = 6517 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

install.shView on unpkg
vanexa-agent-1.0.0.tgzView file
path = vanexa-agent-1.0.0.tgz kind = high_entropy_blob sizeBytes = 17797 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = compressed_blob sizeBytes = 17797 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

vanexa-agent-1.0.0.tgzView on unpkg
path = vanexa-agent-1.0.0.tgz kind = nested_archive_needs_inspection sizeBytes = 17797 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

vanexa-agent-1.0.0.tgzView on unpkg

Findings

1 High5 Medium6 Low
HighShips High Entropy Blobvanexa-agent-1.0.0.tgz
MediumUnsafe Vm Contextsrc/tools/executeProceduralMedia.js
MediumNetwork
MediumShips Build Helperinstall.sh
MediumShips Compressed Blobvanexa-agent-1.0.0.tgz
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectionvanexa-agent-1.0.0.tgz