Advisories for Npm/@Earendil-Works/Pi-Coding-Agent package

Exploitation requires local access to the same machine and read/traverse access to the victim's Pi agent configuration directory. Users whose ~/.pi/agent directory is private to their account are less exposed. The main impact is disclosure of stored provider credentials, which may allow use of the configured provider accounts according to the privileges of those credentials. This is not remotely exploitable by itself.

A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required. Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify …

Exploitation requires user interaction: the attacker must get a user to open or otherwise work in an attacker-controlled repository and start Pi there. The attacker does not need an account on the user's machine or prior privileges in Pi. If exploited, project-local extension code runs with the same permissions as the user running Pi. It can access files, environment variables, credentials available to the process, the network, and local tools …

The realistic attack path is indirect. An attacker would need to get suitable Markdown into a session, for example through prompt injection that causes the model to include an unsafe link, or through other untrusted session content. The user would then need to export the session as HTML, open or share that file, and click the link. If triggered, script runs in the exported document, not in pi or the …