npm · Malicious package advisory
Malwarenode-fsmetrics-data
MAL-2026-10479
Malicious code in node-fsmetrics-data (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9) The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running `npm publish` against a sibling package name (node-procmetrics-data), using an npm registry `_authToken` that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so `require`/`node` on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default `npm install` does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.