MAL-2026-10488
Malicious code in permcarmserver (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4e70168ba32f543c08a0c98b81e648d09e9793bcc533a34c2f0ce9ca7a14536e) On require, index.js spawns a worker that uses koffi FFI to load a file named index.html and invoke its exported vserver_start(). Despite the extension, index.html is an aarch64 Linux ELF shared library built from vless_ws.c; it implements a VLESS-over-WebSocket proxy with a hardcoded client UUID 4916e0f5-8abc-4ad4-ba5d-158582c60d85, accepts WebSocket upgrades, and relays arbitrary attacker-directed TCP CONNECT traffic through the installing host. The ELF returns a decoy ':: SYSTEM ONLINE:: MINECRAFT SERVER' HTML page to casual HTTP probes as a cover story. One second after the worker signals 'started', index.js recursively deletes the installed package directory with fs.rmSync(pkgDir, { recursive: true, force: true }), while the loaded native library keeps running in memory. The combination of native ELF masquerading as HTML, FFI load on require, hardcoded VLESS identity, TCP relay capability, and post-activation self-deletion converts the installing host into a covert attacker-controlled proxy relay.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for permcarmserver (npm). Pin to a known-safe version or switch to an alternative.