VDB
EN

MAL-2026-10489

Malicious code in permcserver (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cf9fcdfd2e40ddb8c0aef4fa0fb93f2d0bcf3b0c00104057076f8013a70812d6) The package's `main` (index.js) is a 10-line FFI shim that spawns a worker, dlopens the bundled `lib-linux.so` via koffi, and immediately invokes the native entrypoint `vserver_start()`. The.so implements a VLESS-over-WebSocket proxy server: it performs the WebSocket handshake using the standard GUID `258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, authenticates clients with a hardcoded UUID (`4916e0f58abc4ad4ba5d158582c60d85`), and services outbound `CONNECT %s HTTP/1.1` requests with SOCKS5/HTTP upstream proxy support — turning the installer's host into an attacker-authenticated TCP relay on the moment the package is required. The package exports no library API; starting the proxy listener is the sole effect of importing it. The binary also enumerates hosting-panel port environment variables (`PTERODACTYL_PORT`, `MC_PORT`, `MINECRAFT_PORT`, `GAME_PORT`) and embeds a decoy `:: SYSTEM ONLINE::` / `MINECRAFT SERVER` HTML page — cover-story content consistent with the package name's implied Pterodactyl/Minecraft server helper purpose, which does not match the actual proxy-backdoor payload. Symbol strings `vless_ws.c`, `relay_thread`, and `dial_tcp` are present in the stripped.so. Requiring or loading this package gives whoever knows the hardcoded UUID persistent, authenticated tunneling access through the installer's machine and the ability to execute arbitrary native code in the Node process.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / permcserver

No fixed version published yet for permcserver (npm). Pin to a known-safe version or switch to an alternative.

참고