MAL-2026-10479

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-fsmetrics-data/MAL-2026-10479.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10479
Published
2026-07-13T19:50:17Z
Modified
2026-07-13T20:46:58.404542999Z
Summary
Malicious code in node-fsmetrics-data (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9)

The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running npm publish against a sibling package name (node-procmetrics-data), using an npm registry _authToken that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so require/node on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default npm install does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T19:50:25Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "b18309d790ca3508291fce9f9e6dd66837a1e5e4ba4e92008d5a9f5a9b613800",
            "id": "IN-MAL-2026-010302",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T20:29:54.102081153Z"
        },
        {
            "modified_time": "2026-07-13T19:50:17Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9",
            "id": "IN-MAL-2026-010301",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T20:29:54.060558689Z"
        }
    ]
}
References
Credits

Affected packages

npm / node-fsmetrics-data

Package

Name
node-fsmetrics-data
View open source insights on deps.dev
Purl
pkg:npm/node-fsmetrics-data

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "545173c71b696375aa77a8c59293e11553b7d1a33016f6e0b1ec83422f03a18c3b64b9",
            "sha256": "7ebdf9d13216f1b60810c15020711e655a40693085216709c8eb3b87267406ee",
            "path": "archive-sender.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "2f9f77a2f39e15c32cd37555f37489cc373177c5",
                "sha512_sri": "sha512-FBWPwnwrJVJWNgSM2P4UxoUL6D6L9N3K4oZh5HKCVZDsXSzoSGg9tbHwHoTxaifNRadnYB/IIc8/OnrNbb1D6A=="
            },
            "filename": "node-fsmetrics-data-1.0.1.tgz"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-fsmetrics-data/MAL-2026-10479.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]