VDB
KO

MAL-2026-10741

Malicious code in netcontrol-agent (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (967b375e5686bd1eab74838f00cd21c2a8e15291f03a8140b494a83052fd2a92) netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint. The relayLoop auto-attaches to any session the server advertises, so whoever controls NC_SERVER_URL obtains full interactive command execution on every host running the agent. The --install path escalates blast radius by writing a systemd unit that runs the agent as root, or a Windows scheduled task with /RU SYSTEM /RL HIGHEST /SC ONSTART, providing boot persistence at maximum privilege. An NC_AUTO_UPDATE mode downloads a replacement agent script from the same server and atomically overwrites AGENT_PATH, letting the server push arbitrary new code to installed hosts on the next poll. Collected host identifiers (os.hostname(), version) are also POSTed to the server. The remote-shell-plus-persistence-plus-self-update composition is a full backdoor mechanism regardless of the package's self-description.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / netcontrol-agent

No fixed version published yet for netcontrol-agent (npm). Pin to a known-safe version or switch to an alternative.

References