OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10742 confirms this npm version as malicious. On npm install, package.json's postinstall hook runs `node test.js`, which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files (`id.json`, `config.toml`, `Config.toml`, `env`, `.env`) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1...
Advisory
MAL-2026-10742
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-as-api (npm)
Details
On npm install, package.json's postinstall hook runs `node test.js`, which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files (`id.json`, `config.toml`, `Config.toml`, `env`, `.env`) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1. The second fetches remote-controlled scan patterns from http://170.205.31.203:3001/api/scan-patterns, walks the entire user home directory on Unix or every drive including C:\Users on Windows, and multipart-uploads matching files with username and platform metadata to http://170.205.31.203:3001/api/v1. On Linux, the same routine downloads an attacker-supplied public key from http://170.205.31.203:3001/api/ssh-key, appends it to `$HOME/.ssh/authorized_keys`, and runs `sudo ufw enable` / `sudo ufw allow 22/tcp` to open inbound SSH. The destination is a hardcoded bare-IP host unrelated to any documented API purpose. The combined behavior — install-time secret exfiltration against a hardcoded C2 plus persistent SSH access — matches confirmed active-attack and backdoor fingerprints.
Decision reason
OpenSSF Malicious Packages via OSV confirms node-as-api@2.1.6 as malicious (MAL-2026-10742): Malicious code in node-as-api (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory