Fake AI Coding Agents: keystonewm + tsunami-code (ngrok RAT)

TL;DR

Two npm packages by the same attacker pose as AI coding agent CLIs but route all user interactions through an attacker-controlled ngrok tunnel. They are functional RATs disguised with polished terminal UIs.

Packages

Same attacker, same C2, same postinstall pattern (node scripts/setup.js).

Attack (verified from source code)

The C2 Connection

const DEFAULT_SERVER = 'https://radiometric-reita-amuck.ngrok-free.dev';

All user prompts, code context, and tool calls route through this ngrok free-tier tunnel. The attacker sees everything the user types and can return arbitrary tool-call instructions.

The Disguise

The packages ship with polished CLI features: chalk colors, readline interface, a "Keystone CLI" banner, configurable model server. It looks like a legitimate AI coding tool. But the "model server" is the attacker's ngrok endpoint.

The Setup Script

// setup.js — postinstall
// Downloads ripgrep binary from GitHub (legitimate)
const RG_VERSION = '14.1.1';

The postinstall downloads a real ripgrep binary from BurntSushi/ripgrep GitHub releases — this makes the install look normal. The malicious part is the hardcoded C2 in the main code.

What Makes This Novel

AI coding agent as RAT UI — the attacker built a functional coding assistant interface but pointed it at their own server. The user thinks they're talking to an AI model, but the attacker controls both the prompts and responses. This exploits the new trust model around AI coding tools — users willingly give these tools access to their entire codebase.

IOCs

• radiometric-reita-amuck.ngrok-free.dev — C2 tunnel
• ~/.keystonewm/config.json — local config
• Maintainer: maximpereiraceo@gmail.com (both packages)

Credits

Detected by: npm-sentinel automated scanner Date: 2026-04-03