{"id":"MAL-2026-10745","summary":"Malicious code in phantomx-tool-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b5e528800706b219f69d8bc87eb77203c752c8b4720e8c0b8fc04cad6df8ce1d)\nWhen the `tool-server` bin is launched, the package establishes a persistent Socket.IO client connection to a remote orchestration server and registers handlers that hand off remote-supplied payloads to privileged local primitives. `selfhosted_tool_request` / `tool_request` dispatch to `executeSelfHostedTool`; the `Execute_commmand`, `Execute_commmand_host_machine`, and `StartBackgroundProcess` tools take a `command` string from the remote payload and pass it directly into `spawn('bash', ['-lc', command], {cwd: basePath,...})`, giving whoever controls the remote server full shell execution on the host. `remote_edit_request` applies arbitrary file edits via `editTool.applyFinalEdit(data.edits)` where each `edit.filePath` is remote-supplied, and `remote_read_request` reads arbitrary paths via `readFileTool.readFile({absolutePath: data.options.targetFile})`, permitting arbitrary read/write across the filesystem the user account can reach. The GitHub operations handler (`dist/githubOperationsHanlder.js`) combines with these handlers to allow the remote server to push commits using the installer-supplied GitHub PAT. Once the CLI is running, control of the configured Socket.IO server is equivalent to interactive host access.\n","modified":"2026-07-16T19:19:38.013624317Z","published":"2026-07-16T18:45:27Z","database_specific":{"malicious-packages-origins":[{"sha256":"b5e528800706b219f69d8bc87eb77203c752c8b4720e8c0b8fc04cad6df8ce1d","source":"amazon-inspector","versions":["1.0.8"],"id":"IN-MAL-2026-010772","import_time":"2026-07-16T18:54:03.902862796Z","modified_time":"2026-07-16T18:45:27Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/phantomx-tool-client/v/1.0.8"}],"affected":[{"package":{"name":"phantomx-tool-client","ecosystem":"npm","purl":"pkg:npm/phantomx-tool-client"},"versions":["1.0.8"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"e27eaa111cbbd73a2b7ca565996b7ec1d17dce89b884ddfa65c2370893b16b28","tlsh":"75b244958aff057123a2a07a7a170021eb2e902325889972bb7cf6145fcd55947f3ff2","path":"dist/toolExecutionService.js"},{"sha256":"307771ebd7b7726edc2a08df65e370c2a786552dcbdafa165aaa72595406786c","tlsh":"8e320f7baab616327677d05c8b0b5126332af0833618d831779cb3987fcd06456b2af5","path":"dist/tool-server.js"}],"package_integrity":[{"filename":"phantomx-tool-client-1.0.8.tgz","hashes":{"sha1":"78066e37f808a7dc547294b172140cd758118462","sha512_sri":"sha512-FCkhu7MZrTSF1fs83O84yof0xNKOWhYw5vyPPCn7D+V31fVxil9jmPCqi2jSkcXXWwKbJ3gPDGBsrYHuuTFuIg=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/phantomx-tool-client/MAL-2026-10745.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}