registry  /  node-fsagent  /  1.1.2

node-fsagent@1.1.2

Filesystem monitoring agent

AI Security Review

scanned 2h ago · by lpm-firewall-ai

A standalone payload archives `/root/.codex` and exfiltrates it through npm registry package-version metadata. No install-time trigger is declared, but executing the payload activates it.

Static reason
No blocking static signals were detected.
Trigger
Direct execution or import of `archive-sender.js`.
Impact
Disclosure of Codex/agent configuration and files accessible under `/root/.codex`.
Mechanism
Archive sensitive agent files and upload base64 chunks to npm.
Attack narrative
`archive-sender.js` immediately invokes `archiveAndSend()`. It uses `bash -c` with `tar` to compress `/root/.codex`, splits the archive, and publishes each chunk as base64-encoded npm package descriptions using an obfuscated bearer token. This is a concrete credential-backed data-exfiltration payload, not filesystem monitoring.
Rationale
The package contains an executable payload specifically designed to archive agent data and covertly transmit it through npm publishing. Absence of a lifecycle hook limits automatic activation but does not negate the malicious behavior.
Evidence
package.jsonindex.jsarchive-sender.js/root/.codex/tmp/.sysmon.log
Network endpoints1
registry.npmjs.org/node-fsagent/

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10506
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsagent (npm)
Details
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `archive-sender.js` archives `/root/.codex` with `tar`.
  • `archive-sender.js` embeds an obfuscated npm bearer token.
  • `archive-sender.js` publishes archive chunks to npm package descriptions.
  • `archive-sender.js` runs `archiveAndSend()` at module execution.
Evidence against
  • `package.json` has no lifecycle scripts or entrypoints.
  • `index.js` is empty.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
ObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 6.82 KB of source, external domains: registry.npmjs.org

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

4 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
MediumNetwork
LowFilesystem
LowObfuscated
LowUrl Strings