AI Security Review
scanned 3h ago · by lpm-firewall-aiThe included sender archives `/root/.codex` and exfiltrates its contents through newly published package-version keywords on the npm registry. It runs immediately if `archive-sender.js` is executed.
Static reason
No blocking static signals were detected.
Trigger
Explicit execution of `archive-sender.js`.
Impact
Credential, configuration, and workspace data under `/root/.codex` can be disclosed to the attacker-controlled npm package.
Mechanism
Archive local Codex data and covertly upload chunks to npm registry metadata.
Attack narrative
`archive-sender.js` creates a compressed archive of `/root/.codex`, splits it into 50 KB chunks, base64-encodes each chunk, and publishes the values in `keywords` fields of synthetic `node-fsagent` versions. An XOR-obfuscated bearer token authorizes registry requests. The script deletes its temporary archive and logs to a hidden-looking `/tmp/.sysmon.log`, but the published chunks remain remotely recoverable.
Rationale
The package contains a concrete, immediately executing credential/workspace archive exfiltration script using an obfuscated publishing token. The lack of a manifest entrypoint limits automatic activation but does not make the included payload benign.
Evidence
archive-sender.jspackage.jsonindex.js/root/.codex/tmp/.sysmon.log
Network endpoints2
registry.npmjs.org/node-fsagent/<version>registry.npmjs.org
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10506
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsagent (npm)
Details
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `archive-sender.js` archives `/root/.codex` with `tar`.
- `archive-sender.js` immediately calls `archiveAndSend()` when executed.
- `archive-sender.js` chunks the archive and publishes it to npm metadata.
- `archive-sender.js` uses an obfuscated npm bearer token.
- `package.json` declares no legitimate entrypoint or lifecycle hook for this sender.
Evidence against
- `package.json` has no install lifecycle scripts.
- `index.js` is empty, so ordinary import has no observed behavior.
Behavioral surface
ChildProcessCryptoFilesystemNetwork
ObfuscatedUrlStrings
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•Published source reference
High
Suspicious Lifecycle Evidence
`package.json` declares no legitimate entrypoint or lifecycle hook for this sender.
package.jsonView on unpkgFindings
5 High1 Medium3 Low
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighAi Review Evidence
HighSuspicious Lifecycle Evidencepackage.json
MediumNetwork
LowFilesystem
LowObfuscated
LowUrl Strings