-= Per source details. Do not edit below this line.=-
install.js executes automatically via the package.json postinstall hook. It XOR-decodes (key 0x5A) a hardcoded npm registry auth token and writes it into the installer's global npm config at //registry.npmjs.org/:_authToken, replacing the installer's own npm authentication with an attacker-controlled identity. It then polls registry.npmjs.org for this package's dist-tags, base64-decodes the 'cmd' field, and executes the resulting string via spawnSync('bash', ['-c', cmd],...) in an infinite loop, giving the publisher arbitrary shell execution on any machine that installs the package. The output and exit code of each executed command are base64-encoded, placed into a synthesized package.json description field under /tmp/pm-pkg, and pushed back to the public npm registry via 'npm publish --access public' using the hijacked token, using the registry itself as the exfiltration channel. For persistence, install.js copies itself to /tmp/.pm-agent.js and spawns a detached, unref'd Node process pointing at that file, so the polling loop survives past the npm install invocation. The combination of covert channel via dist-tags, XOR-obfuscated embedded credential, credential replacement in the installer's npm config, and detached persistent process is unambiguous backdoor behavior at install time.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.7"
],
"id": "IN-MAL-2026-010237",
"modified_time": "2026-07-13T14:00:44Z",
"import_time": "2026-07-13T14:19:32.964817481Z",
"sha256": "4d10c5997cd06995b3dc8ff8ca6798291f3cc517004d2988b8b7e9b23aa882c2",
"source": "amazon-inspector"
},
{
"sha256": "e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a",
"id": "IN-MAL-2026-010236",
"import_time": "2026-07-13T14:19:32.886694136Z",
"modified_time": "2026-07-13T14:00:34Z",
"versions": [
"1.0.1"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.0.5"
],
"id": "IN-MAL-2026-010234",
"import_time": "2026-07-13T14:19:32.623385058Z",
"sha256": "ec7a93ad727eb20b9987d469bd9c1c9885ccfe5ecac9f63c92533c39fdc9a89c",
"modified_time": "2026-07-13T14:00:17Z",
"source": "amazon-inspector"
},
{
"sha256": "745e0484fcd3bb5744be7b89107df02e154151766df41f5342bb3d254a6bfaf2",
"id": "IN-MAL-2026-010241",
"import_time": "2026-07-13T14:19:33.352595298Z",
"modified_time": "2026-07-13T14:02:19Z",
"versions": [
"1.0.9"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.0.4"
],
"id": "IN-MAL-2026-010233",
"import_time": "2026-07-13T14:19:32.555383223Z",
"sha256": "8f214c46f243f81d8f8d1bf442c6ddca8e95504b06c03d0d4e4ea277f6e6380d",
"modified_time": "2026-07-13T14:00:03Z",
"source": "amazon-inspector"
},
{
"sha256": "c7db9e51eaaff07cb242f7e8c3e55372eaf117bd3de26d4afd8699d819583222",
"id": "IN-MAL-2026-010235",
"import_time": "2026-07-13T14:19:32.755734536Z",
"modified_time": "2026-07-13T14:00:25Z",
"versions": [
"1.0.8"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.0.6"
],
"id": "IN-MAL-2026-010238",
"import_time": "2026-07-13T14:19:33.045137651Z",
"sha256": "ca5a4d93f2a1af3a3535ab75ee6af1743aa0cc1a2aa6cb2481ab9a84ee7c2b11",
"modified_time": "2026-07-13T14:00:50Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.0.3"
],
"id": "IN-MAL-2026-010232",
"modified_time": "2026-07-13T13:59:56Z",
"import_time": "2026-07-13T14:19:32.491123161Z",
"sha256": "cbf90f128705bbda30cd157d15dce3a518690058121c9d7e93602d7223753084",
"source": "amazon-inspector"
},
{
"versions": [
"1.0.2"
],
"id": "IN-MAL-2026-010231",
"import_time": "2026-07-13T14:19:32.330246437Z",
"sha256": "d2e4ccb828d2b993f38efd1560ceacb99bec404cfaa4cf977f7897f494c2d1e3",
"modified_time": "2026-07-13T13:59:48Z",
"source": "amazon-inspector"
},
{
"sha256": "78427df6d52276a54adb18106f55aa3d5bbb261808fefe9f66683e8aa441221d",
"id": "IN-MAL-2026-010260",
"import_time": "2026-07-13T15:30:31.210994562Z",
"modified_time": "2026-07-13T14:22:23Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "node-procmetrics-1.0.7.tgz",
"hashes": {
"sha512_sri": "sha512-54xx/blvdht/Taw6I2qN9sxvXb1Z5xTfGM37lryLXUYwTIV67qDljbxAmrLf6SXWECnvdyrejB7FKRcy9Ulczg==",
"sha1": "6981ea069616a0978b30d9c01adbec591f9a3efc"
}
}
],
"evidence_files": [
{
"tlsh": "55b1859567ff222847f7ea6ce21b951b563be0017549cdd0f98c2a211fc326c96e22d4",
"sha256": "0da399938961e048e3d8049cd656c2539c449fb08c2bb47769ee521e00ac0834",
"path": "install.js"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-procmetrics/MAL-2026-10445.json"