On load, dist/index.js unconditionally instantiates new AIServer() and calls server.start() at module top level (no require.main === module guard), so simply running node dist/index.js, invoking the package's bin, or require('@aiscene/aiserver') from another module immediately launches a network-talking server in the consumer's process. That server registers with the hardcoded URL http://nethp-test.jd.com/rest/execution-nodes/register (plain HTTP, not configurable in code) and continuously long-polls http://nethp-test.jd.com/rest/execution-queue/tasks/next. Tasks returned by that endpoint carry a naturalLanguage/code field which dist/executor/code-executor.js compiles and runs via new (async function(){}).constructor(instrumentedCode) inside a forked worker — i.e. arbitrary JavaScript supplied by the remote control plane is executed in the installer's process. dist/node/service.js additionally POSTs the installer's os.hostname(), local non-internal IPv4 addresses from os.networkInterfaces(), and connected device info to the same host every ~30 seconds with no opt-in or override. Because the control-plane URL is hardcoded and served over plaintext HTTP, any non-JD installer (and any on-path attacker on the network between the installer and that host) gains unauthenticated remote code execution on the installer's machine. dist/config/index.js and dist/.env also ship a hardcoded modelservice.jdcloud.com API key (pk-485b2b56-...) used as the default for three model slots; this is author self-harm against the author's own JD Cloud quota and is not the basis for the block.