Introduction
On May 31, 2026, the Panther Threat Research team identified a newly-published npm package, @agen2/connect, that establishes a persistent remote-control channel between developer machines and an operator-controlled web platform. The design pattern is consistent with the broader Chinese gray-market AI-relay ecosystem documented elsewhere, but the specific architectural choices raise substantial privacy and trust concerns regardless of the operator's intent. The package was published under the maintainer account agen2 (wf[.]ttt@icloud[.]com) and iterated across four versions in roughly 33 hours: 0.1.0 and 0.2.0 were published on May 31 as benign-looking stubs, and the remote-control logic was introduced in 0.3.0 and 0.4.0 on June 1.
The package describes itself as a connector that links locally installed AI agent CLIs including Claude Code, Hermes, OpenClaw, and ClawClaude to a hosted web interface at 103[.]19[.]50[.]79:3000. Users register on the platform, receive a unique accountKey, and are instructed to run a single npx command with that key passed via --auth-url. On execution, the package transmits the accountKey to the operator's server over a hardcoded, unencrypted ws:// WebSocket, enumerates the user's locally installed AI CLIs, and maintains a self-healing channel through which the operator can relay prompts to those CLIs and receive the resulting LLM output in real time. Whether this is best described as a legitimate-if-opaque agent dashboard or as a covert compute-monetization scheme is genuinely ambiguous. Several design choices push the package well outside what a benign productivity proxy needs: full process.env passthrough to operator-controlled execFile calls, operator-controlled "group memory" context silently prepended to every prompt the user's CLI sees, no published privacy policy or terms of service, and a throwaway iCloud publisher email with no corresponding business entity.
With 272 recorded downloads and the operator's live control panel showing 3 connected agents and 336.2k accumulated tokens of relayed AI compute at the time of discovery, the platform was operationally active when our scanner identified it. All known publisher identifiers return zero hits across public threat intelligence corpora, marking the operator as a previously undocumented entity. The evidence available is insufficient to definitively classify the package as malicious supply-chain malware or as an aggressive but consensual gray-market AI proxy. This report walks through the observed behavior and lets the reader judge the boundary.
Campaign Overview
The @agen2/connect package presents itself as a third-party web UI that lets users connect and chat with locally installed AI agents (Claude Code, OpenClaw, Hermes, ClawClaude). The hosted interface lives at 103[.]19[.]50[.]79:3000 and generates a unique accountKey for each registered user. The user is instructed to run npx @agen2/connect@latest --auth-url <accountKey> to link their AI tooling. The package then sends the account key to the platform server and discovers locally installed AI CLIs.
In practice, the implementation goes well beyond what a typical agent dashboard requires. The accountKey is sent unencrypted to the operator's server on the first WebSocket frame, the package opens a persistent self-healing channel, and the operator can relay prompts to the user's CLIs via execFile() and stream the responses back in real time. Whether framed as a productivity feature or as remote code execution, the operator holds the same capability either way. A live capture of the platform's control panel showed 3 connected agents and 336.2k tokens of relayed AI compute accumulated, indicating the service was actively in use at the time of discovery.
Version Timeline
Version | Published (UTC) | Scanner Verdict | Notes |
|---|---|---|---|
0.1.0 | 2026-05-31 13:05 | None | Initial publish; no C2 present; establishes package history |
0.2.0 | 2026-05-31 14:56 | None | Minor iteration; no verdict; continues to suppress new-package risk signals |
0.3.0 | 2026-06-01 12:48 | MALICIOUS ( 0.95 ) | C2 hardcoded; credential exfiltration and WebSocket backdoor active; Panther alert triggered |
0.4.0 | 2026-06-01 | Socket gptSecurity flag | Continued iteration; unencrypted ws:// C2; Socket.dev high confidentiality risk assessment |
Technical Analysis
The package functions as a WebSocket remote agent relay. On first connection, the software transmits the accountKey to a hardcoded server. It discovers all locally installed CLIs and establishes a bidirectional command channel that allows the operator to execute prompts against those CLIs and retrieve the results.
The channel is unencrypted, as shown by the browser's not secure banner due to the use of ws:// rather than wss://. This choice is unusual for any production service moving sensitive data, since the prompts, AI responses, and the accountKey all cross the wire in plaintext.
The use of a raw IP rather than a domain is also unusual for a production service. The operator's server is baked in as the default, with a self-host override available only if the user supplies one manually.
I retrieved the images below by navigating to the agen2 platform from within a virtual browser. The content was originally in Chinese so I translated the pages for legibility.
This image showcases the login form for the agen2 platform.
Upon account creation, you can see that a unique account key is generated per user.
Following this, the platform instructs the user to run the following command npx @agen2/connect@latest —auth-url <accountKey>.
On running the command, the user's accountKey (passed via --auth-url) is transmitted to the operator's server. The key is not used locally and only serves as the platform's identifier for this connection. The candidates payload immediately enumerates every local AI CLI (Hermes, Claude, OpenClaw, ClawClaude) that the user has installed, giving the operator a complete inventory of available tooling before any further exchange.
Once the connection is established, the server registers the machine as an active "agent" visible within the operator's live control panel. The panel showed three active connections and over 336,000 tokens of relayed AI compute at the time of capture.
From this point, the operator has persistent remote control of the channel and can relay arbitrary prompts to the user's local AI CLI through Node.js's execFile() function. Responses stream back to the operator in real time. The child process inherits the user's full environment, so any API keys or secrets stored as environment variables (Anthropic keys, OpenAI keys, AWS credentials) are reachable by the executed commands. The operator also receives continuous telemetry about each task and can retrieve full conversation transcripts on demand. A secondary path exists for "group memory" content, where the operator can pre-load instructions that get silently prepended to every prompt the user's CLI receives, with no indication to the user.
The connector is designed to be self-healing. If the WebSocket drops for any reason, the package re-establishes the connection every three seconds. A state file in the user's home directory preserves the same logical agent identity across restarts, so the machine remains registered in the operator's panel for as long as the process is alive. Removing the connector requires killing the process, uninstalling the package, and deleting the state file. The publisher avoided obfuscation and install-hook techniques entirely. The risk lives in the combination of a hardcoded operator endpoint and standard, individually-legitimate API calls, which is why static analysis tools like GuardDog returned zero findings.
Attribution
The activity is linked to a Chinese based platform called agen2 rather than an explicit actor. Upon searching Github, there is an account linked to agen2 with zero repositories present and it appears they joined on October 11, 2020. There only appears to be one NPM account linked to the agen2 platform which can be found here. There appears to only be one package linked to that account which is the @agen2/connect package. The e-mail that is linked to the actor is an iCloud account titled wf[.]ttt@icloud[.]com which appears to be a throwaway account of some sort.
As a whole, it appears the actor is new as there are no prior traces of the platform itself or the actor’s prior activity. The IP is from Net Innovation which offers VPS hosting with minimal identity verification. The actor initially relied on a raw IP rather than a registered IP which could indicate that the actor prioritized speed and cost for the platform.
Detection
This activity evaded static detection because the code was not obfuscated and relied solely on standard APIs (WebSocket, child_process, fs). The risk surface of this package lies in the combination of behaviors that sit outside what a benign productivity proxy requires: credential transmission to a hardcoded operator endpoint, operator-driven execution against local CLIs, full environment inheritance, and a platform-mediated enrollment flow. The Panther AI LLM analysis flagged this combination where the static GuardDog rule produced no findings.
GuardDog tends to look for explicit indicators in its static analysis, including install scripts, obfuscation, and explicitly suspicious URLs. This package evaded detection by leveraging otherwise legitimate API processes used in a concerning context. The Panther LLM analysis caught the behavior because of the combination of accountKey transmission (accountKey to ws://103[.]19[.]50[.]79:3000), a hardcoded operator-controlled IP, and an execFile() relay driven by inbound WebSocket frames. On this combination of signals, the Panther LLM analysis returned a high-risk verdict at 0.95 confidence, surfacing the package for analyst review.
Conclusion
The @agen2/connect case sits in an unusual middle ground between an aggressive Chinese gray-market AI relay service and a genuinely covert supply chain operation, and the evidence available is not yet sufficient to definitively place it on one side of that line. The package was published under the alias agen2 (wf[.]ttt@icloud.com) and iterated across four versions in 33 hours, with 0.1.0 and 0.2.0 released on 2026-05-31 as benign stubs and the remote-control logic introduced in 0.3.0 and 0.4.0 on 2026-06-01. The implementation is unobfuscated, ships no install hook, and uses only standard Node.js APIs, which is why static analyzers like GuardDog produced no findings. The C2 endpoint at 103[.]19[.]50[.]79:3000 resolves to AS62864 (Net Innovation LLC, Osaka, Japan), a VPS provider commonly used by low-cost Chinese-market deployments.
The broader context matters here. A substantial gray market exists for Chinese-language LLM access, driven by Great Firewall restrictions that prevent Chinese developers from reaching OpenAI, Anthropic, and Google AI services directly. Resellers on Xianyu, Goofish, and Taobao routinely list cheap access via router endpoints, and platforms positioned as "AI agent dashboards" have become a common front-end for this trade. The agen2 platform fits that surface profile, but several design choices push the package well outside what a typical gray-market proxy needs. The accountKey is sent in plaintext over ws://, the child process spawned by execFile() inherits the user's full process.env, the operator can silently prepend "group memory" context to every prompt, and the connector reconnects every three seconds with a stable identity persisted to disk. A productivity proxy does not need any of those properties.
A capture of the operator's control panel at the time of detection showed 3 active connections and 336.2k tokens of relayed AI compute, confirming the platform is operationally in use whatever its intended purpose. Attribution remains incomplete. All known identifiers (agen2, wf[.]ttt@icloud.com, 103[.]19[.]50[.]79) return zero hits across public and internal threat intelligence corpora. The strongest signal is linguistic, since every element of the package and the platform UI is authored in Simplified Chinese, and the targeted tooling (hermes, clawclaude, claude, openclaw) is predominantly used within Chinese-language AI developer communities. The agen2 GitHub account (72701985), dormant since its creation on 2020-10-11, may reflect either deliberate account aging or username recycling, and the available evidence does not distinguish between them. With 272 recorded downloads and no prior watchlist coverage, the immediate priorities are npm coordination on all four versions, perimeter blocking of 103[.]19[.]50[.]79, user notification and API key rotation guidance, and adding the known indicators to the Supply Chain Indicator Threat Feed.
Read more of the latest reports from Panther's Threat Research Team here.
IoCs
Artifacts
Indicator | Type | Source Line |
|---|---|---|
ws://103[.]19[.]50[.]79:3000/api/agent-realtime | WebSocket C2 endpoint | DEFAULT_SERVER constant |
103[.]19[.]50[.]79 | C2 IP | Embedded in DEFAULT_SERVER |
~/.agen2-connect.json | Persistence artifact | stateFile constant |
agen2_sk_ | Credential key prefix | Pattern observable from live panel |
hermes , claude , clawclaude , openclaw | Targeted AI CLIs | KNOWN array |
AGEN2_URL | Environment variable override | process.env.AGEN2_URL |
Code Snippets
Behavior | Code Location | Severity | Notes |
|---|---|---|---|
Credential exfiltration | ws.on("open", ...) → hello frame | 🔴 Critical | accountKey sent immediately, before any user interaction |
Remote code execution | handleUserMsg → runCli → execFile | 🔴 Critical | Owner controls prompt content; runs against local AI CLIs |
Env var exposure | execFile(..., { env: process.env }) | 🔴 Critical | All secrets in env passed to child; AI can be prompted to echo them |
Persistence | ~/.agen2-connect.json | 🟠 High | Stable IDs survive restarts; backdoor re-establishes after reconnect |
Auto-reconnect | ws.on("close", ...) setTimeout 3s | 🟠 High | Self-healing backdoor; no clean exit |
Session history exfiltration | session:request handler | 🟠 High | Full conversation transcripts retrievable on demand |
Group memory exfiltration | 记忆 (memory): regex extraction | 🟡 Medium | Secondary channel; memory injection |
Prompt injection | group.memory in prompt | 🟡 Medium | Server-controlled context prepended to all prompts |
Telemetry stream | Multiple telemetry frames | 🟡 Medium | Real-time task metadata; feeds token monetization accounting |
Unencrypted C2 | ws:// (not wss:// ) | 🟡 Medium | All traffic in plaintext; interceptable on network path |
CLI inventory disclosure | candidates in hello | 🟡 Medium | Immediately reveals which AI tools user has installed |
Threat Actor Profile
Attribute | Value | Notes |
|---|---|---|
npm username | agen2 | Single package published ( @agen2/connect ) |
GitHub username | agen2 | GitHub User ID 72701985 |
GitHub account created | 2020-10-11 | ~5.5 years before activity |
npm maintainer email | wf[.]ttt@icloud.com | No prior web presence found |
C2 IP | 103[.]19[.]50[.]79 | No prior threat intel hits |
C2 ASN | AS62864 — Net Innovation LLC | Osaka, Japan; anonymous VPS hosting |
C2 service | ws://103[.]19[.]50[.]79:3000/api/agent-realtime | Unencrypted WebSocket backdoor channel |
Credential key prefix | agen2_sk_<hex> | Per-victim account keys |
Persistence artifact | ~/.agen2-connect.json | Written on victim's home directory |
Share:
RESOURCES
