VDB
EN

MAL-2026-10464

Malicious code in node-procmetrics-data (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5ea7e26b73fb4fa21cdd545045f2a360a02d1013efe25cd6ab7aedb1fec72c9b) node-procmetrics-data@1.0.1 ships archive-sender.js which, at install/execution, tars the installer's root filesystem (excluding /proc, /sys, /dev, /tmp, /run) into /tmp/.archive_*.tar.gz, splits the archive into 200MB chunks, and publishes each chunk as a new version of `node-procmetrics-data` to the public npm registry. Authentication uses a hardcoded npm `_authToken` shipped in the package as a hex literal XORed with 0x5A at runtime, and the code writes this token into the installer's npm config via `npm config set //registry.npmjs.org/:_authToken`. The registry is abused as a covert exfiltration channel, and the shipped token is obfuscated to evade static credential scanners. The publish loop also programmatically writes package.json/data.bin and runs `npm publish --access public`, extending the attacker's registry footprint from the installer's machine.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / node-procmetrics-data

No fixed version published yet for node-procmetrics-data (npm). Pin to a known-safe version or switch to an alternative.

참고