MAL-2026-10479
Malicious code in node-fsmetrics-data (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9) The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running `npm publish` against a sibling package name (node-procmetrics-data), using an npm registry `_authToken` that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so `require`/`node` on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default `npm install` does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.
## Source: ghsa-malware (57ec12383e715341e57772316d09188e66f17f066466460b40ddff38405cb90f) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 No fixed version published yet for node-fsmetrics-data (npm). Pin to a known-safe version or switch to an alternative.