MAL-2026-10741

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netcontrol-agent/MAL-2026-10741.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10741
Published
2026-07-16T18:40:53Z
Modified
2026-07-16T19:19:50.166246532Z
Summary
Malicious code in netcontrol-agent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (967b375e5686bd1eab74838f00cd21c2a8e15291f03a8140b494a83052fd2a92)

netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint. The relayLoop auto-attaches to any session the server advertises, so whoever controls NCSERVERURL obtains full interactive command execution on every host running the agent. The --install path escalates blast radius by writing a systemd unit that runs the agent as root, or a Windows scheduled task with /RU SYSTEM /RL HIGHEST /SC ONSTART, providing boot persistence at maximum privilege. An NCAUTOUPDATE mode downloads a replacement agent script from the same server and atomically overwrites AGENT_PATH, letting the server push arbitrary new code to installed hosts on the next poll. Collected host identifiers (os.hostname(), version) are also POSTed to the server. The remote-shell-plus-persistence-plus-self-update composition is a full backdoor mechanism regardless of the package's self-description.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:40:53Z",
            "sha256": "967b375e5686bd1eab74838f00cd21c2a8e15291f03a8140b494a83052fd2a92",
            "versions": [
                "1.0.5"
            ],
            "import_time": "2026-07-16T18:54:02.307188193Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010743"
        }
    ]
}
References
Credits

Affected packages

npm / netcontrol-agent

Package

Affected ranges

Affected versions

1.*
1.0.5

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "netcontrol-agent-1.0.5.tgz",
            "hashes": {
                "sha1": "3cb4d994e8739bff42a6eb98b3a2fee4d8953874",
                "sha512_sri": "sha512-CKpbjDKCtjDby2sunxJo6M6gipzbdV01dLvDZL4HHWa9vPwcc41f0u0f84PkockEYMPq1ww3kzdJLg1TvFpIkA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "b6f2d57665f6423539a3d17eab0f50127b2af0077209d864b68c72846fcd82c9277dfa",
            "sha256": "5e6353c764e6e9d7054d76cb741748bfaa33d409ebbf646951db3619e2f3e388",
            "path": "netcontrol-agent.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netcontrol-agent/MAL-2026-10741.json"