npm · Malicious package advisory
Malwarenode-fsmetrics-native
MAL-2026-10480
Malicious code in node-fsmetrics-native (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9958558a30dea32a3b0fc2e48bb775433e1f12b339030a8d21872ad058bc28ff) On require(), index.js hex-decodes the URL http://152.53.120.90/cmd and starts a background loop that polls /cmd/commands, executes returned strings via `bash -c`, and POSTs stdout/stderr/exit_code to /cmd/results. The bundled native addon sysmon.cc, invoked from index.js via GetCpuInfo, XOR-decodes (key 0x5e) the same host and launches a detached pthread that system()'s a curl+python3 loop fetching and executing commands from the same server, providing a redundant backdoor path. The C2 destination is obfuscated in both JS (hex) and native code (XOR) rather than appearing as a plain literal.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.