MAL-2026-10464
Malicious code in node-procmetrics-data (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5ea7e26b73fb4fa21cdd545045f2a360a02d1013efe25cd6ab7aedb1fec72c9b) node-procmetrics-data@1.0.1 ships archive-sender.js which, at install/execution, tars the installer's root filesystem (excluding /proc, /sys, /dev, /tmp, /run) into /tmp/.archive_*.tar.gz, splits the archive into 200MB chunks, and publishes each chunk as a new version of `node-procmetrics-data` to the public npm registry. Authentication uses a hardcoded npm `_authToken` shipped in the package as a hex literal XORed with 0x5A at runtime, and the code writes this token into the installer's npm config via `npm config set //registry.npmjs.org/:_authToken`. The registry is abused as a covert exfiltration channel, and the shipped token is obfuscated to evade static credential scanners. The publish loop also programmatically writes package.json/data.bin and runs `npm publish --access public`, extending the attacker's registry footprint from the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for node-procmetrics-data (npm). Pin to a known-safe version or switch to an alternative.