VYPR

npm · Malicious package advisory

Malware

node-fsmetrics-data

MAL-2026-10479

Malicious code in node-fsmetrics-data (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9)
The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running `npm publish` against a sibling package name (node-procmetrics-data), using an npm registry `_authToken` that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so `require`/`node` on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default `npm install` does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.

Compromised versions (2)

  • 1.0.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.