registry  /  node-fsagent  /  1.0.5

node-fsagent@1.0.5

Filesystem monitoring agent

AI Security Review

scanned 3h ago · by lpm-firewall-ai

A bundled standalone script archives `/root/.codex` and exfiltrates it by republishing archive chunks to npm. It is not wired to package install or import, but executes its collection-and-upload chain when directly run.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Direct execution of `archive-sender.js`.
Impact
Unauthorized disclosure of `/root/.codex` contents and npm registry abuse.
Mechanism
Archive AI-agent data, stage chunks as npm packages, and publish them using an embedded token.
Attack narrative
When directly executed, `archive-sender.js` creates a tarball of `/root/.codex`, reads it in 200 MB chunks, writes chunks into temporary npm package directories, configures an npm token decoded from obfuscated data, and publishes the chunks to the public npm registry. The empty package entry surface does not activate it automatically, but the bundled script is a concrete credential-assisted data-exfiltration payload.
Rationale
The source contains a complete, self-executing archive-and-publication chain targeting AI-agent data, with an obfuscated registry credential. Lack of lifecycle wiring reduces automatic exposure but does not negate the malicious payload.
Evidence
archive-sender.jspackage.jsonindex.js/root/.codex/tmp/.sysmon.log<tmpdir>/.archive_<timestamp>.tar.gz<tmpdir>/npm-chunk-<version>/.npmrc<tmpdir>/npm-chunk-<version>/data.bin
Network endpoints1
registry.npmjs.org

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `archive-sender.js` targets `/root/.codex` for archiving.
  • It runs `tar` through `bash -c` to create an archive.
  • It splits the archive and writes each chunk into publishable packages.
  • An obfuscated token is decoded and written to a temporary `.npmrc`.
  • It invokes `npm publish --access public` against `registry.npmjs.org`.
  • The script self-executes `archiveAndSend()` when run.
Evidence against
  • `package.json` has no lifecycle scripts or entrypoint fields.
  • `index.js` is empty and does not reference `archive-sender.js`.
  • No package code auto-runs the sender on install or import.
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.37 KB of source

Source & flagged code

2 flagged · loading source
archive-sender.jsView file
1const { execSync, spawnSync } = require('child_process'); L2: const https = require('https'); L3: const fs = require('fs'); ... L7: const _d=[105,125,126,72,44,109,90,94,69,91,108,100,118,68,116,70,24,92,96,70,83,99,33,39,41,77,17,124,23,109,98,124,73,68,43,22,67,95,86,7]; L8: const NPM_TOKEN=_d.map((c,i)=>String.fromCharCode(c^_k[i%_k.length])).join(''); L9: const PKG = 'node-fsagent'; ... L23: fs.writeFileSync(dir + '/index.js', ''); L24: fs.writeFileSync(dir + '/package.json', JSON.stringify({ L25: name: PKG, version, license: 'MIT', L26: description: Buffer.from(JSON.stringify({ L27: host: os.hostname(), ts: Date.now() L28: })).toString('base64')
Critical
Npm Publish Worm

Source mutates package metadata and republishes itself to npm.

archive-sender.jsView on unpkg · L1
1const { execSync, spawnSync } = require('child_process'); L2: const https = require('https');
High
Child Process

Package source references child process execution.

archive-sender.jsView on unpkg · L1

Findings

1 Critical1 High2 Medium1 Low
CriticalNpm Publish Wormarchive-sender.js
HighChild Processarchive-sender.js
MediumNetwork
MediumEnvironment Vars
LowFilesystem