registry  /  ai-node-relay  /  0.0.2

ai-node-relay@0.0.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6518 confirms this npm version as malicious. ai-node-relay ships dist/index.js as its npm main entry, processed with javascript-obfuscator (string-array rotation, _0x-prefixed identifiers, base64 string decoder). The file ends with a top-level main() invocation that boots a Fastify server bound to 0.0.0.0:4001 and starts a heartbeat loop — any consumer who does `require('ai-node-relay')` immediately spawns a public-interface listener rather than getting a...

Advisory
MAL-2026-6518
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ai-node-relay (npm)
Details
ai-node-relay ships dist/index.js as its npm main entry, processed with javascript-obfuscator (string-array rotation, _0x-prefixed identifiers, base64 string decoder). The file ends with a top-level main() invocation that boots a Fastify server bound to 0.0.0.0:4001 and starts a heartbeat loop — any consumer who does `require('ai-node-relay')` immediately spawns a public-interface listener rather than getting a library handle. On startup the relay collects host fingerprint data (os.cpus, totalmem/freemem, platform, release, arch, uptime) and POSTs it with nodeId/url to `${GATEWAY_URL}/api/internal/node/register`; the destination is operator-configured via env var (default http://localhost:3007), matches the documented registration flow, and does not include installer secrets or an env-var dump. During periodic syncFromGateway, the gateway's JSON response is allowed to overwrite process.env.ENCRYPTION_KEY, ENCRYPTION_SECRET, ENCRYPTION_SALT, ENCRYPTION_AAD, and ENCRYPTION_ALGORITHM in the running process — a legitimate control-plane behavior given the operator chose the gateway, but one that materially expands the trust placed in whatever URL is configured. There is no install-time lifecycle hook, no fetch-and-execute of remote code, no credential scraping from ~/.aws/~/.ssh/~/.npmrc, and no hardcoded attacker destination. The combined pattern (obfuscation hiding the control flow + require()-time server bind to 0.0.0.0 + gateway-driven mutation of crypto material) warrants human review of maintainer trust and README accuracy before recommending the package, but it does not by itself constitute a supply-chain attack against installers. ## Source: ghsa-malware (15dbf12bf77945563589af277a5a11fc548f282dfb1ab8fb8b0e8253d28ec854) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms ai-node-relay@0.0.2 as malicious (MAL-2026-6518): Malicious code in ai-node-relay (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory