VDB
KO

MAL-2026-10445

Malicious code in node-procmetrics (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a) install.js executes automatically via the package.json postinstall hook. It XOR-decodes (key 0x5A) a hardcoded npm registry auth token and writes it into the installer's global npm config at //registry.npmjs.org/:_authToken, replacing the installer's own npm authentication with an attacker-controlled identity. It then polls registry.npmjs.org for this package's dist-tags, base64-decodes the 'cmd' field, and executes the resulting string via spawnSync('bash', ['-c', cmd],...) in an infinite loop, giving the publisher arbitrary shell execution on any machine that installs the package. The output and exit code of each executed command are base64-encoded, placed into a synthesized package.json description field under /tmp/pm-pkg, and pushed back to the public npm registry via 'npm publish --access public' using the hijacked token, using the registry itself as the exfiltration channel. For persistence, install.js copies itself to /tmp/.pm-agent.js and spawns a detached, unref'd Node process pointing at that file, so the polling loop survives past the npm install invocation. The combination of covert channel via dist-tags, XOR-obfuscated embedded credential, credential replacement in the installer's npm config, and detached persistent process is unambiguous backdoor behavior at install time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / node-procmetrics

No fixed version published yet for node-procmetrics (npm). Pin to a known-safe version or switch to an alternative.

References