-= Per source details. Do not edit below this line.=-
netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint. The relayLoop auto-attaches to any session the server advertises, so whoever controls NCSERVERURL obtains full interactive command execution on every host running the agent. The --install path escalates blast radius by writing a systemd unit that runs the agent as root, or a Windows scheduled task with /RU SYSTEM /RL HIGHEST /SC ONSTART, providing boot persistence at maximum privilege. An NCAUTOUPDATE mode downloads a replacement agent script from the same server and atomically overwrites AGENT_PATH, letting the server push arbitrary new code to installed hosts on the next poll. Collected host identifiers (os.hostname(), version) are also POSTed to the server. The remote-shell-plus-persistence-plus-self-update composition is a full backdoor mechanism regardless of the package's self-description.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:40:53Z",
"sha256": "967b375e5686bd1eab74838f00cd21c2a8e15291f03a8140b494a83052fd2a92",
"versions": [
"1.0.5"
],
"import_time": "2026-07-16T18:54:02.307188193Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010743"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "netcontrol-agent-1.0.5.tgz",
"hashes": {
"sha1": "3cb4d994e8739bff42a6eb98b3a2fee4d8953874",
"sha512_sri": "sha512-CKpbjDKCtjDby2sunxJo6M6gipzbdV01dLvDZL4HHWa9vPwcc41f0u0f84PkockEYMPq1ww3kzdJLg1TvFpIkA=="
}
}
],
"evidence_files": [
{
"tlsh": "b6f2d57665f6423539a3d17eab0f50127b2af0077209d864b68c72846fcd82c9277dfa",
"sha256": "5e6353c764e6e9d7054d76cb741748bfaa33d409ebbf646951db3619e2f3e388",
"path": "netcontrol-agent.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netcontrol-agent/MAL-2026-10741.json"