VDB
KO

MAL-2026-10480

Malicious code in node-fsmetrics-native (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9958558a30dea32a3b0fc2e48bb775433e1f12b339030a8d21872ad058bc28ff) On require(), index.js hex-decodes the URL http://152.53.120.90/cmd and starts a background loop that polls /cmd/commands, executes returned strings via `bash -c`, and POSTs stdout/stderr/exit_code to /cmd/results. The bundled native addon sysmon.cc, invoked from index.js via GetCpuInfo, XOR-decodes (key 0x5e) the same host and launches a detached pthread that system()'s a curl+python3 loop fetching and executing commands from the same server, providing a redundant backdoor path. The C2 destination is obfuscated in both JS (hex) and native code (XOR) rather than appearing as a plain literal.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / node-fsmetrics-native

No fixed version published yet for node-fsmetrics-native (npm). Pin to a known-safe version or switch to an alternative.

References