registry  /  netcontrol-agent  /  1.0.5

netcontrol-agent@1.0.5

A Node agent that collects system metrics like CPU, RAM, disk, network usage, and uptime to a remote server.

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10741 confirms this npm version as malicious. netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint...

Advisory
MAL-2026-10741
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in netcontrol-agent (npm)
Details
netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint. The relayLoop auto-attaches to any session the server advertises, so whoever controls NC_SERVER_URL obtains full interactive command execution on every host running the agent. The --install path escalates blast radius by writing a systemd unit that runs the agent as root, or a Windows scheduled task with /RU SYSTEM /RL HIGHEST /SC ONSTART, providing boot persistence at maximum privilege. An NC_AUTO_UPDATE mode downloads a replacement agent script from the same server and atomically overwrites AGENT_PATH, letting the server push arbitrary new code to installed hosts on the next poll. Collected host identifiers (os.hostname(), version) are also POSTed to the server. The remote-shell-plus-persistence-plus-self-update composition is a full backdoor mechanism regardless of the package's self-description.
Decision reason
OpenSSF Malicious Packages via OSV confirms netcontrol-agent@1.0.5 as malicious (MAL-2026-10741): Malicious code in netcontrol-agent (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory