Advisories for Npm/@Mariozechner/Pi-Coding-Agent package

Exploitation requires local access to the same machine and read/traverse access to the victim's Pi agent configuration directory. Users whose ~/.pi/agent directory is private to their account are less exposed. The main impact is disclosure of stored provider credentials, which may allow use of the configured provider accounts according to the privileges of those credentials. This is not remotely exploitable by itself.

A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required. Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify …

The realistic attack path is indirect. An attacker would need to get suitable Markdown into a session, for example through prompt injection that causes the model to include an unsafe link, or through other untrusted session content. The user would then need to export the session as HTML, open or share that file, and click the link. If triggered, script runs in the exported document, not in pi or the …