registry  /  node-fsmetrics-data  /  1.0.1

node-fsmetrics-data@1.0.1

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10479 confirms this npm version as malicious. The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running `npm publish` against a sibling package name (node-procmetrics-data), using an npm registry `_authToken` that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description...

Advisory
MAL-2026-10479
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsmetrics-data (npm)
Details
The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running `npm publish` against a sibling package name (node-procmetrics-data), using an npm registry `_authToken` that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so `require`/`node` on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default `npm install` does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.
Decision reason
OpenSSF Malicious Packages via OSV confirms node-fsmetrics-data@1.0.1 as malicious (MAL-2026-10479): Malicious code in node-fsmetrics-data (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory