-= Per source details. Do not edit below this line.=-
The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running npm publish against a sibling package name (node-procmetrics-data), using an npm registry _authToken that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so require/node on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default npm install does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T19:50:25Z",
"versions": [
"1.0.1"
],
"sha256": "b18309d790ca3508291fce9f9e6dd66837a1e5e4ba4e92008d5a9f5a9b613800",
"id": "IN-MAL-2026-010302",
"source": "amazon-inspector",
"import_time": "2026-07-13T20:29:54.102081153Z"
},
{
"modified_time": "2026-07-13T19:50:17Z",
"versions": [
"1.0.0"
],
"sha256": "b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9",
"id": "IN-MAL-2026-010301",
"source": "amazon-inspector",
"import_time": "2026-07-13T20:29:54.060558689Z"
}
]
}{
"evidence_files": [
{
"tlsh": "545173c71b696375aa77a8c59293e11553b7d1a33016f6e0b1ec83422f03a18c3b64b9",
"sha256": "7ebdf9d13216f1b60810c15020711e655a40693085216709c8eb3b87267406ee",
"path": "archive-sender.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "2f9f77a2f39e15c32cd37555f37489cc373177c5",
"sha512_sri": "sha512-FBWPwnwrJVJWNgSM2P4UxoUL6D6L9N3K4oZh5HKCVZDsXSzoSGg9tbHwHoTxaifNRadnYB/IIc8/OnrNbb1D6A=="
},
"filename": "node-fsmetrics-data-1.0.1.tgz"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-fsmetrics-data/MAL-2026-10479.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]