MAL-2026-10445

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-procmetrics/MAL-2026-10445.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10445
Published
2026-07-13T13:59:48Z
Modified
2026-07-13T15:49:30.697252555Z
Summary
Malicious code in node-procmetrics (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a)

install.js executes automatically via the package.json postinstall hook. It XOR-decodes (key 0x5A) a hardcoded npm registry auth token and writes it into the installer's global npm config at //registry.npmjs.org/:_authToken, replacing the installer's own npm authentication with an attacker-controlled identity. It then polls registry.npmjs.org for this package's dist-tags, base64-decodes the 'cmd' field, and executes the resulting string via spawnSync('bash', ['-c', cmd],...) in an infinite loop, giving the publisher arbitrary shell execution on any machine that installs the package. The output and exit code of each executed command are base64-encoded, placed into a synthesized package.json description field under /tmp/pm-pkg, and pushed back to the public npm registry via 'npm publish --access public' using the hijacked token, using the registry itself as the exfiltration channel. For persistence, install.js copies itself to /tmp/.pm-agent.js and spawns a detached, unref'd Node process pointing at that file, so the polling loop survives past the npm install invocation. The combination of covert channel via dist-tags, XOR-obfuscated embedded credential, credential replacement in the installer's npm config, and detached persistent process is unambiguous backdoor behavior at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.7"
            ],
            "id": "IN-MAL-2026-010237",
            "modified_time": "2026-07-13T14:00:44Z",
            "import_time": "2026-07-13T14:19:32.964817481Z",
            "sha256": "4d10c5997cd06995b3dc8ff8ca6798291f3cc517004d2988b8b7e9b23aa882c2",
            "source": "amazon-inspector"
        },
        {
            "sha256": "e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a",
            "id": "IN-MAL-2026-010236",
            "import_time": "2026-07-13T14:19:32.886694136Z",
            "modified_time": "2026-07-13T14:00:34Z",
            "versions": [
                "1.0.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "id": "IN-MAL-2026-010234",
            "import_time": "2026-07-13T14:19:32.623385058Z",
            "sha256": "ec7a93ad727eb20b9987d469bd9c1c9885ccfe5ecac9f63c92533c39fdc9a89c",
            "modified_time": "2026-07-13T14:00:17Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "745e0484fcd3bb5744be7b89107df02e154151766df41f5342bb3d254a6bfaf2",
            "id": "IN-MAL-2026-010241",
            "import_time": "2026-07-13T14:19:33.352595298Z",
            "modified_time": "2026-07-13T14:02:19Z",
            "versions": [
                "1.0.9"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "id": "IN-MAL-2026-010233",
            "import_time": "2026-07-13T14:19:32.555383223Z",
            "sha256": "8f214c46f243f81d8f8d1bf442c6ddca8e95504b06c03d0d4e4ea277f6e6380d",
            "modified_time": "2026-07-13T14:00:03Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "c7db9e51eaaff07cb242f7e8c3e55372eaf117bd3de26d4afd8699d819583222",
            "id": "IN-MAL-2026-010235",
            "import_time": "2026-07-13T14:19:32.755734536Z",
            "modified_time": "2026-07-13T14:00:25Z",
            "versions": [
                "1.0.8"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "id": "IN-MAL-2026-010238",
            "import_time": "2026-07-13T14:19:33.045137651Z",
            "sha256": "ca5a4d93f2a1af3a3535ab75ee6af1743aa0cc1a2aa6cb2481ab9a84ee7c2b11",
            "modified_time": "2026-07-13T14:00:50Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-010232",
            "modified_time": "2026-07-13T13:59:56Z",
            "import_time": "2026-07-13T14:19:32.491123161Z",
            "sha256": "cbf90f128705bbda30cd157d15dce3a518690058121c9d7e93602d7223753084",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-010231",
            "import_time": "2026-07-13T14:19:32.330246437Z",
            "sha256": "d2e4ccb828d2b993f38efd1560ceacb99bec404cfaa4cf977f7897f494c2d1e3",
            "modified_time": "2026-07-13T13:59:48Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "78427df6d52276a54adb18106f55aa3d5bbb261808fefe9f66683e8aa441221d",
            "id": "IN-MAL-2026-010260",
            "import_time": "2026-07-13T15:30:31.210994562Z",
            "modified_time": "2026-07-13T14:22:23Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / node-procmetrics

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "node-procmetrics-1.0.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-54xx/blvdht/Taw6I2qN9sxvXb1Z5xTfGM37lryLXUYwTIV67qDljbxAmrLf6SXWECnvdyrejB7FKRcy9Ulczg==",
                "sha1": "6981ea069616a0978b30d9c01adbec591f9a3efc"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "55b1859567ff222847f7ea6ce21b951b563be0017549cdd0f98c2a211fc326c96e22d4",
            "sha256": "0da399938961e048e3d8049cd656c2539c449fb08c2bb47769ee521e00ac0834",
            "path": "install.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-procmetrics/MAL-2026-10445.json"