VYPR

npm · Malicious package advisory

Malware

node-fsagent

MAL-2026-10506

Malicious code in node-fsagent (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a3a0392a3ddea9b6099e8501fdb827f586a410323cecea214aa50fc1be42183b)
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.

Compromised versions (9)

  • 1.1.3
  • 1.2.2
  • 1.0.4
  • 1.1.2
  • 1.1.1
  • 1.2.0
  • 1.0.0
  • 1.0.8
  • 1.2.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.