registry  /  node-fsagent  /  1.2.0

node-fsagent@1.2.0

Filesystem monitoring agent

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10506 confirms this npm version as malicious. The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned...

Advisory
MAL-2026-10506
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsagent (npm)
Details
The package tarball ships archive-sender.js, which archives the host path /root/.codex, splits the tar into ~200MB chunks, reconstructs an npm registry _authToken at runtime by XOR-ing an embedded byte array against a key array, writes that token into the local npm config via `npm config set //registry.npmjs.org/:_authToken`, and then invokes `npm publish --access public` on each chunk as sequential versioned releases of the package name 'node-fsagent'. This uses the public npm registry as a covert data-exfiltration channel and simultaneously constitutes credential distribution: the embedded token grants publish rights to the token owner's npm account and would allow republishing over the 'node-fsagent' name (and any other packages owned by that account). The declared main entry (index.js) is a single newline and no lifecycle scripts are declared in package.json, so archive-sender.js does not auto-execute on `npm install` or on `require('node-fsagent')`; the malicious behavior fires only when the script is invoked directly. The package advertises no legitimate functionality (empty main, no documented API), and the shipped script's only purpose is host-path archival and registry-token-driven upload.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.28 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 Medium1 Low
MediumEnvironment Vars
LowFilesystem