{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/safeinstall-cli/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["safeinstall-cli"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","developer-tools","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["SafeInstall"],"content_html":"\u003cp\u003eA vulnerability has been identified in SafeInstall CLI versions up to 0.10.1, which impacts its agent guard's ability to properly intercept and evaluate commands. Attackers can exploit this flaw by crafting specific shell commands, which the guard fails to recognize as package-manager or registry-runner operations. This bypass is possible through techniques such as using case-variant launcher names (e.g., \u003ccode\u003enPM install\u003c/code\u003e), employing leading file-descriptor redirections (e.g., \u003ccode\u003e1\u0026gt;\u0026amp;2 npm install\u003c/code\u003e), or utilizing supported shell wrappers with specific options (e.g., \u003ccode\u003esh -c 'npm install'\u003c/code\u003e). Additionally, remote project scaffolding via package-manager \u003ccode\u003ecreate/init\u003c/code\u003e commands can also evade the guard's approval process. This allows a coding agent, influenced by an attacker, to execute malicious packages or runners without SafeInstall's policy evaluation, leading to potential compromise of local source code, credentials, and development resources with the developer's permissions. The vulnerability was discovered and remediated by the SafeInstall maintainer during adversarial parser testing.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains influence or control over a developer's coding agent, potentially through social engineering, a compromised project, or a malicious dependency.\u003c/li\u003e\n\u003cli\u003eThe attacker instructs the compromised coding agent to issue a shell command intended to execute a package installation or registry-provided scaffolding command.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the shell command to evade the SafeInstall agent guard, utilizing methods such as case-variant launcher names (e.g., \u003ccode\u003enPM install\u003c/code\u003e), leading file-descriptor redirections (e.g., \u003ccode\u003e1\u0026gt;\u0026amp;2 npm install\u003c/code\u003e), or supported shell wrappers with specific options (e.g., \u003ccode\u003esh -c 'npm install'\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe SafeInstall agent guard, due to its parsing limitations, fails to correctly classify the crafted command as a package-manager or registry-runner invocation.\u003c/li\u003e\n\u003cli\u003eConsequently, the guard bypasses its intended policy evaluation and enforcement of disabled lifecycle scripts for the command.\u003c/li\u003e\n\u003cli\u003eThe coding agent directly executes the package installation or registry-provided scaffolding command without SafeInstall's intervention.\u003c/li\u003e\n\u003cli\u003eA malicious package or runner is executed with the permissions of the developer's account, potentially leading to unauthorized access, data exfiltration, or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a crafted shell command to bypass the SafeInstall guard's intended deny or ask response when a coding agent is in use. This enables the coding agent to execute package installation or registry-provided scaffolding commands without any policy evaluation from SafeInstall or enforcement of disabled lifecycle scripts. This direct execution, carried out with the permissions of the developer account, poses a significant risk to the confidentiality, integrity, and availability of local source code, developer credentials, and other critical development resources. The vulnerability's scope is limited to guard interception, meaning commands already routed through the SafeInstall CLI continue to receive normal policy evaluation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003esafeinstall-cli\u003c/code\u003e to version 0.10.2 or later immediately to patch the parsing vulnerabilities that allow guard bypass.\u003c/li\u003e\n\u003cli\u003eUntil an upgrade to \u003ccode\u003esafeinstall-cli 0.10.2\u003c/code\u003e is possible, manually review every shell command issued by coding agents and explicitly prevent them from directly invoking package managers or registry runners.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:47:37Z","date_published":"2026-07-10T19:47:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-safeinstall-guard-bypass/","summary":"A vulnerability in SafeInstall CLI through version 0.10.1 allows attackers to bypass its agent guard and execute unauthorized package installation or registry-provided scaffolding commands, potentially compromising developer environments.","title":"SafeInstall CLI Guard Bypass Vulnerability Allows Unauthorized Package Execution","url":"https://feed.craftedsignal.io/briefs/2026-07-safeinstall-guard-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Safeinstall-Cli","version":"https://jsonfeed.org/version/1.1"}