registry  /  node-fsmetrics-native  /  1.0.0

node-fsmetrics-native@1.0.0

Native system monitoring addon for Node.js

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10480 confirms this npm version as malicious. On require(), index.js hex-decodes the URL http://152.53.120.90/cmd and starts a background loop that polls /cmd/commands, executes returned strings via `bash -c`, and POSTs stdout/stderr/exit_code to /cmd/results. The bundled native addon sysmon.cc, invoked from index.js via GetCpuInfo, XOR-decodes (key 0x5e) the same host and launches a detached pthread that system()'s a curl+python3 loop fetching and executing...

Advisory
MAL-2026-10480
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-fsmetrics-native (npm)
Details
On require(), index.js hex-decodes the URL http://152.53.120.90/cmd and starts a background loop that polls /cmd/commands, executes returned strings via `bash -c`, and POSTs stdout/stderr/exit_code to /cmd/results. The bundled native addon sysmon.cc, invoked from index.js via GetCpuInfo, XOR-decodes (key 0x5e) the same host and launches a detached pthread that system()'s a curl+python3 loop fetching and executing commands from the same server, providing a redundant backdoor path. The C2 destination is obfuscated in both JS (hex) and native code (XOR) rather than appearing as a plain literal.
Decision reason
OpenSSF Malicious Packages via OSV confirms node-fsmetrics-native@1.0.0 as malicious (MAL-2026-10480): Malicious code in node-fsmetrics-native (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory