-= Per source details. Do not edit below this line.=-
On npm install, package.json's postinstall hook runs node test.js, which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files (id.json, config.toml, Config.toml, env, .env) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1. The second fetches remote-controlled scan patterns from http://170.205.31.203:3001/api/scan-patterns, walks the entire user home directory on Unix or every drive including C:\Users on Windows, and multipart-uploads matching files with username and platform metadata to http://170.205.31.203:3001/api/v1. On Linux, the same routine downloads an attacker-supplied public key from http://170.205.31.203:3001/api/ssh-key, appends it to $HOME/.ssh/authorized_keys, and runs sudo ufw enable / sudo ufw allow 22/tcp to open inbound SSH. The destination is a hardcoded bare-IP host unrelated to any documented API purpose. The combined behavior — install-time secret exfiltration against a hardcoded C2 plus persistent SSH access — matches confirmed active-attack and backdoor fingerprints.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010693",
"sha256": "616f74a5722026c25913e644651f1edc57ccb3ca2a6145c1543ff802b3b883b9",
"import_time": "2026-07-16T18:53:59.455249866Z",
"modified_time": "2026-07-16T18:33:15Z",
"source": "amazon-inspector",
"versions": [
"2.1.6"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "node-as-api-2.1.6.tgz",
"hashes": {
"sha1": "724c81a31309a01c0daeb69393e1515a2530df15",
"sha512_sri": "sha512-kDeMbb/0qD9cj9MS/eyBSiSKOrgu/vZlEGXbGD++Hgl9B4jg7thtw0fKaxbOq4erPNYD73ztdWE8h/QQ4URWPA=="
}
}
],
"evidence_files": [
{
"tlsh": "ef02934ca6fb2a2183b371ac468f1415b59ac0033949cd81b2cc97546f8f93d65f6ede",
"sha256": "d986a2e0a9eb3fc3781e166ff6b700e0d38249a6c9649982243c3754671f42d9",
"path": "index.js"
},
{
"tlsh": "87f0ed27ce288e6328f135a8287c0627f291932f0104880f35bd265c4fba1230085f1e",
"sha256": "cebb06f563cec69a6a80033fbe02cb1bc63a35acd8ed2d8d48074cf276698d7b",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-as-api/MAL-2026-10742.json"