
Security News
/Research
Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.
@openparachute/agent
Advanced tools
Vault-native agents for Claude Code — a #agent/definition note + an inbound message becomes a sandboxed claude turn; the reply is written back as a note. Messaging gateway on :1941.
Chat with your Claude Code sessions — a channel per session.
⚠️ Experimental (v0.1.0). Agent is a preview, evolving quickly. It runs today on an owner-operated, trusted machine — it is not yet hardened for untrusted or multi-tenant use. Read Status & safety before you rely on it. (Part of Parachute; conventions in
parachute-patterns.)
Agent is a messaging fabric for Claude Code. One daemon hosts named channels; a Claude Code session connects to a channel, and you talk to it — from Telegram, from a Parachute vault, or from the built-in web chat. The session replies on the same channel. It also lets you spawn and watch sandboxed agent sessions from the browser.
vault — messages are durable #agent/message
notes in a Parachute vault, so the conversation is queryable and renders in any
vault surface (this is the recommended transport).telegram — a Telegram bot, one per channel.http-ui — an ephemeral in-memory transport for quick local testing.<hub-origin>/agent/ — Home, Chat, Agents,
Terminal, and Config, on the Parachute brand. Chat over a vault channel shows
the durable transcript and writes your messages back as notes.Two components connected by SSE — a long-running daemon and a per-session bridge:
your transports (Telegram / vault trigger / web chat)
↕
daemon (port 1941, one per machine) ──┐ owns each transport; fans inbound
↕ SSE (/events) + HTTP (/api/*) │ to subscribers, accepts outbound
bridge (stdio MCP, per session) │
↕ MCP notifications + tools │
Claude Code session ──────────────────┘ wakes on a message, replies with a tool
A session can also connect as a pure HTTP MCP server (by URL + OAuth, exactly like adding the vault) — no local config file. See Connecting a session.
Deeper design + operational detail live in CLAUDE.md.
Agent is focus: experimental and pre-1.0. What's solid vs. early:
Read this about agent sessions. A spawned agent runs claude with
--dangerously-skip-permissions (it's autonomous — no human at the terminal to
answer prompts). The containment is the OS sandbox
(@anthropic-ai/sandbox-runtime —
Seatbelt on macOS, bubblewrap on Linux), with two independent boundaries you set
per spawn:
workspace (default): reads are scoped to the agent's own
workspace + the claude runtime, so it can't read your home tree (SSH keys,
~/.parachute/operator.token, other projects); full: broad reads. Writes are
confined to the workspace in both.open (default): full internet; restricted: only the
Anthropic API + your hub/vault + hosts you list.The default (scoped reads + open network) is safe for your own agents because
the filesystem sandbox keeps secrets unreadable — open network can't exfiltrate
what the agent can't see. For an agent that handles untrusted input, use
network: restricted. This is appropriate for an owner-operated, trusted box;
full multi-tenant isolation is future work.
Agent runs alongside the rest of a Parachute install (the
hub is the portal + OAuth
issuer). Install from npm (@openparachute/agent publishes via tag-triggered CI):
parachute install agent # via the hub CLI (the normal path)
# or directly: bun add -g @openparachute/agent
For development, run it from source instead:
git clone https://github.com/ParachuteComputer/parachute-agent
cd parachute-agent
bun install
bun link # so `parachute start agent` follows this checkout
The daemon self-registers into ~/.parachute/services.json and ships
.parachute/module.json, so the hub lists it in the portal and reverse-proxies
<hub-origin>/agent/* → the loopback daemon. Reach the web surface at
<hub-origin>/agent/ (or http://127.0.0.1:1941/ locally).
| npm | @openparachute/agent |
| bins | parachute-agent (daemon), parachute-agent-bridge (session bridge) |
| port | 1941 · paths /agent |
| scopes | agent:read · agent:write · agent:send · agent:admin |
| state | ~/.parachute/agent/ (channels.json, access.json, inbox/) |
Reachable at <hub-origin>/agent/:
vault channel you see the durable
transcript (markdown rendered); your messages are written back as notes.A vault channel stores every message as a note carrying two tags: the parent
#agent/message (queryable membership — list a channel's whole transcript with
one tag: "#agent/message" + metadata.channel query) and a directional child
#agent/message/inbound (human→session) or #agent/message/outbound
(session→human). Inbound notes wake the session via a vault trigger; replies are
written as outbound notes. Because the conversation lives in the vault, it's
durable, queryable, and renders in any vault surface — the built-in chat and a
custom surface show the same thread. Full note shape + the trigger setup are in
CLAUDE.md.
A Claude Code session connects to a channel as a pure HTTP MCP server — by URL + OAuth, like adding the vault:
claude mcp add --transport http agent <hub-origin>/agent/mcp/<channel>
It prompts for OAuth the first time. The session wakes on inbound messages and
replies with the reply tool. (A stdio bridge over /events + /api/* also
works for local/headless launches — see CLAUDE.md.)
FAQs
Vault-native agents for Claude Code — a #agent/definition note + an inbound message becomes a sandboxed claude turn; the reply is written back as a note. Messaging gateway on :1941.
The npm package @openparachute/agent receives a total of 4,640 weekly downloads. As such, @openparachute/agent popularity was classified as popular.
We found that @openparachute/agent demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.

Security News
npm v12 is generally available, turning install scripts off by default and beginning the deprecation of 2FA-bypass publishing tokens.

Research
/Security News
Socket tracks the activity as Operation “Muck and Load”: a threat actor uses commit-farming workflows, public dead drops, and protected archives to stage Windows RAT and infostealer malware.