registry  /  node-fsagent  /  1.1.3

node-fsagent@1.1.3

Filesystem monitoring agent

AI Security Review

scanned 3h ago · by lpm-firewall-ai

The included sender archives `/root/.codex` and exfiltrates its contents through newly published package-version keywords on the npm registry. It runs immediately if `archive-sender.js` is executed.

Static reason
No blocking static signals were detected.
Trigger
Explicit execution of `archive-sender.js`.
Impact
Credential, configuration, and workspace data under `/root/.codex` can be disclosed to the attacker-controlled npm package.
Mechanism
Archive local Codex data and covertly upload chunks to npm registry metadata.
Attack narrative
`archive-sender.js` creates a compressed archive of `/root/.codex`, splits it into 50 KB chunks, base64-encodes each chunk, and publishes the values in `keywords` fields of synthetic `node-fsagent` versions. An XOR-obfuscated bearer token authorizes registry requests. The script deletes its temporary archive and logs to a hidden-looking `/tmp/.sysmon.log`, but the published chunks remain remotely recoverable.
Rationale
The package contains a concrete, immediately executing credential/workspace archive exfiltration script using an obfuscated publishing token. The lack of a manifest entrypoint limits automatic activation but does not make the included payload benign.
Evidence
archive-sender.jspackage.jsonindex.js/root/.codex/tmp/.sysmon.log
Network endpoints2
registry.npmjs.org/node-fsagent/<version>registry.npmjs.org

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10506
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsagent (npm)
Details
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `archive-sender.js` archives `/root/.codex` with `tar`.
  • `archive-sender.js` immediately calls `archiveAndSend()` when executed.
  • `archive-sender.js` chunks the archive and publishes it to npm metadata.
  • `archive-sender.js` uses an obfuscated npm bearer token.
  • `package.json` declares no legitimate entrypoint or lifecycle hook for this sender.
Evidence against
  • `package.json` has no install lifecycle scripts.
  • `index.js` is empty, so ordinary import has no observed behavior.
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
ObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 7.14 KB of source, external domains: registry.npmjs.org

Source & flagged code

1 flagged · loading source
package.jsonView file
Published source reference
High
Suspicious Lifecycle Evidence

`package.json` declares no legitimate entrypoint or lifecycle hook for this sender.

package.jsonView on unpkg

Findings

5 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighSuspicious Lifecycle Evidencepackage.json
MediumNetwork
LowFilesystem
LowObfuscated
LowUrl Strings