Binary Payload & Phantom Dependencies: actoviq-agent-sdk

TL;DR

actoviq-agent-sdk@0.1.10 ships a 2.4MB brotli-compressed binary blob (runtime.bundle.br) that gets decompressed and executed at runtime via cli.js. It also declares two phantom dependencies (bun, lodash-es) that are never imported in any source file. The bun phantom dep has a postinstall lifecycle script (node install.js), making it a high-risk supply chain vector. Additionally, the package spawns powershell.exe for "computer use" functionality and writes MCP server configurations, enabling persistent tool injection into AI agent environments.

Package Info

Dependencies

Evidence

1. Unauditable Binary Payload

The package ships vendor/actoviq-runtime/runtime.bundle.br (2.4MB brotli-compressed). The loader in vendor/actoviq-runtime/cli.js decompresses it to a temp directory and executes it dynamically:

// cli.js — decompresses .br blob and runs it
const compressed = readFileSync(compressedBundlePath);
const source = brotliDecompressSync(compressed);
// writes to os.tmpdir()/actoviq-runtime-cache/<hash>.mjs
writeFileSync(nextPath, source);
await import(pathToFileURL(entryPath).href);

The .br file is opaque binary — its contents cannot be reviewed without decompression, and even then the resulting .mjs may be obfuscated. This is the textbook pattern for hiding malicious payloads.

2. Phantom Dependencies with Lifecycle Scripts

bun@^1.3.11 is declared as a dependency but never imported in any source file. It has a postinstall: "node install.js" lifecycle script that runs automatically on npm install. This is the exact attack vector used in the 2026 Axios supply chain compromise.

lodash-es@^4.17.23 is also declared but never imported anywhere in the codebase.

3. PowerShell Execution

dist/src/computer/actoviqComputerUse.js spawns PowerShell with arbitrary commands:

execFile('powershell.exe', ['-NoProfile', '-Command', command],
  { windowsHide: true }, (error, stdout, stderr) => { ... });

The windowsHide: true flag suppresses visible windows, making execution invisible to the user.

4. Full Environment Exfiltration

dist/src/parity/actoviqBridgeSdk.js passes the entire process.env to spawned child processes:

...Object.fromEntries(Object.entries(process.env)
  .filter((entry) => typeof entry[1] === 'string')),

This leaks all environment variables (API keys, tokens, secrets) to any subprocess.

5. MCP Server Configuration Writes (Persistence)

Multiple files write MCP server definitions, allowing the package to register itself as a tool provider in AI agent environments:

• actoviqBridgeSdk.js line 280: mcpServers: getObjectArray(initEvent.mcp_servers).map(...)
• actoviqAgents.js line 10: mcpServerNames: (definition.mcpServers ?? []).map(...)
• actoviqSkills.js line 314: mcpServers: definition.mcpServers ? deepClone(...)
• agentClient.js line 65: mcpServers: definition.mcpServers ? deepClone(...)
• conversationEngine.js line 25: resolves MCP tool adapters

This constitutes persistence — once configured, the MCP servers persist across sessions.

6. Environment Variable & Config File Access

• actoviqBuddy.js line 124: reads ACTOVIQ_USER_ID from env/config
• resolveRuntimeConfig.js line 27: reads entire process.env
• actoviqMemory.js line 83: reads ACTOVIQ_REMOTE_MEMORY_DIR
• portableSessions.js line 10: writes to ~/.actoviq config directory

MITRE ATT&CK Mapping

Verdict

Suspicious — High Risk. The combination of an unauditable binary blob, phantom dependencies with lifecycle scripts, hidden PowerShell execution, full environment exfiltration, and MCP persistence makes this package a significant supply chain threat. The binary payload is the primary concern: it could contain any arbitrary code and cannot be reviewed through standard source auditing.

Remediation

npm uninstall actoviq-agent-sdk
rm -rf /tmp/actoviq-runtime-cache/
rm -rf ~/.actoviq/

Credits

• Discovered by: Yuri Borges Martins
• Tool: npm-sentinel (AI-Powered NPM Malware Hunter)
• Date: 2026-04-03