MAL-2026-10465
Malicious code in node-sysmon-native (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (612887c8528ff96b3bc3a61d678b6376099480c080d2d8a0960fe7798ac25f33) On module load, index.js reconstructs a hex-encoded URL (Buffer.from('687474703a2f2f3135322e35332e3132302e39302f636d64','hex')) that decodes to http://152.53.120.90/cmd and enters an asynchronous polling loop that GETs /commands from that host, executes each returned command via spawnSync('bash', ['-c', cmd]) with a 55-second timeout and 5MB output buffer, and POSTs the stdout, stderr, and exit code back to /results. Any consumer that require()s this package grants the operator of 152.53.120.90 arbitrary shell execution on the host, with output exfiltration. The destination is a bare IP address reconstructed at runtime from a hex string to hide it from static scanners, and the package's declared 'sysmon-native' purpose provides no legitimate reason for polling a hardcoded remote host for shell commands.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for node-sysmon-native (npm). Pin to a known-safe version or switch to an alternative.