AI Security Review
scanned 5h ago · by lpm-firewall-aiA dormant script can archive `/` and exfiltrate it by publishing chunks to npm. It is not wired to package installation or the empty default entrypoint.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Explicit execution or import of `archive-sender.js`.
Impact
Potential disclosure of accessible host files through public npm releases.
Mechanism
Filesystem-root archive followed by npm package publication using an embedded token.
Rationale
The package contains a concrete host-data exfiltration payload, but source inspection shows it is dormant rather than install- or import-triggered. Treat it as a staged payload carrier and warn rather than block.
Evidence
archive-sender.jspackage.jsonindex.js/tmp/.archive_<timestamp>.tar.gz/tmp/npm-chunk-<version>/data.bin
Network endpoints1
registry.npmjs.org
OSV Corroboration
OpenSSF/OSVAdvisory
MAL-2026-10464
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in node-procmetrics-data (npm)
Details
node-procmetrics-data@1.0.1 ships archive-sender.js which, at install/execution, tars the installer's root filesystem (excluding /proc, /sys, /dev, /tmp, /run) into /tmp/.archive_*.tar.gz, splits the archive into 200MB chunks, and publishes each chunk as a new version of `node-procmetrics-data` to the public npm registry. Authentication uses a hardcoded npm `_authToken` shipped in the package as a hex literal XORed with 0x5A at runtime, and the code writes this token into the installer's npm config via `npm config set //registry.npmjs.org/:_authToken`. The registry is abused as a covert exfiltration channel, and the shipped token is obfuscated to evade static credential scanners. The publish loop also programmatically writes package.json/data.bin and runs `npm publish --access public`, extending the attacker's registry footprint from the installer's machine.
References
Decision evidence
public snapshotAI called this Suspicious at 97.0% confidence as Malware with low false-positive risk.
Evidence for block
- `archive-sender.js` archives filesystem root using `tar` via `bash`.
- `archive-sender.js` splits the archive and republishes chunks with `npm publish`.
- `archive-sender.js` decodes an embedded npm token and configures it for npmjs.
- `archive-sender.js` invokes `archiveAndSend()` at module load.
Evidence against
- `package.json` has no lifecycle scripts or entrypoint fields.
- `index.js` is empty and does not import `archive-sender.js`.
- The payload is not reachable through normal package install or import.
Behavioral surface
ChildProcessFilesystemNetwork
Source & flagged code
2 flagged · loading sourcearchive-sender.jsView file
1const { execSync, spawnSync } = require('child_process');
L2: const https = require('https');
L3: const fs = require('fs');
...
L6: const _e = '[redacted]';
L7: const NPM_TOKEN = Buffer.from(_e, 'hex').map(b => b ^ 0x5A).toString();
L8: const PKG = 'node-procmetrics-data';
...
L20: fs.writeFileSync(dir + '/index.js', '');
L21: fs.writeFileSync(dir + '/package.json', JSON.stringify({
L22: name: PKG, version, license: 'MIT',
L23: description: Buffer.from(JSON.stringify({
L24: host: os.hostname(), ts: Date.now()
L25: })).toString('base64')
Critical
Npm Publish Worm
Source mutates package metadata and republishes itself to npm.
archive-sender.jsView on unpkg · L11const { execSync, spawnSync } = require('child_process');
L2: const https = require('https');
High
Findings
1 Critical1 High1 Medium1 Low
CriticalNpm Publish Wormarchive-sender.js
HighChild Processarchive-sender.js
MediumNetwork
LowFilesystem