AI Security Review
scanned 3h ago · by lpm-firewall-aiA bundled sender archives the Codex configuration directory and exfiltrates it by publishing encoded chunks to npm. It is not wired to install or import, but executing the file activates the theft chain.
Static reason
No blocking static signals were detected.
Trigger
Explicit execution of `archive-sender.js`.
Impact
Credential and configuration exfiltration to an attacker-controlled npm package publication path.
Mechanism
Archive `/root/.codex` and publish encoded chunks using an embedded npm token.
Attack narrative
`archive-sender.js` creates a tar.gz of `/root/.codex`, splits it into chunks, and sends each chunk to the npm registry by placing base64 data in newly published package descriptions. Its embedded obfuscated bearer token and logging indicate a deliberate data-exfiltration workflow.
Rationale
Although no lifecycle hook or import path triggers it automatically, the package contains a concrete credential/configuration theft and npm-upload mechanism. The source establishes malicious intent rather than a benign filesystem-monitoring feature.
Evidence
archive-sender.jsindex.jspackage.json/root/.codex/tmp/.sysmon.log
Network endpoints1
registry.npmjs.org/node-fsagent
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10506
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsagent (npm)
Details
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `archive-sender.js` archives `/root/.codex` with `tar`.
- `archive-sender.js` embeds an obfuscated npm bearer token.
- It publishes archive chunks as base64 package descriptions.
- The sender uploads to `registry.npmjs.org` via HTTPS.
Evidence against
- `package.json` defines no lifecycle scripts or entrypoints.
- `index.js` is empty, so ordinary import has no observed behavior.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
ObfuscatedUrlStrings
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
4 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
MediumNetwork
LowFilesystem
LowObfuscated
LowUrl Strings