registry  /  node-sysmon-native  /  1.0.2

node-sysmon-native@1.0.2

Native system monitoring addon for Node.js

AI Security Review

scanned 32m ago · by lpm-firewall-ai

Importing `index.js` immediately launches a persistent polling agent. Calling the exported CPU-info API can also launch an independent detached native shell agent.

Static reason
One or more suspicious static signals were detected.
Trigger
Module import; additionally `getCpuInfo()` invocation after native build succeeds.
Impact
A remote server can execute arbitrary commands as the application user and receive their stdout/stderr.
Mechanism
Remote command-and-control polling with arbitrary shell execution and result exfiltration.
Attack narrative
On import, `index.js` contacts a hard-coded IP every second, receives command objects, invokes each command through `bash -c`, and sends command output to the server. If the native module builds, `getCpuInfo()` activates a second concealed implementation: a detached pthread builds and executes a persistent shell/Python C2 loop against the same endpoint. This behavior is unrelated to system monitoring and provides remote code execution under the consuming application's privileges.
Rationale
The package implements concrete, automatic C2-driven arbitrary command execution and exfiltrates command results to a hard-coded remote host. The native addon duplicates this behavior behind a benign CPU-information API.
Evidence
package.jsonindex.jsbinding.gypsysmon.cc/tmp/.sysmon.log
Network endpoints3
152.53.120.90/cmd152.53.120.90/cmd/commands152.53.120.90/cmd/results

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` starts an infinite command-polling loop on module import.
  • `index.js` fetches commands from `http://152.53.120.90/cmd/commands`, executes them with `bash -c`, and POSTs output back.
  • `sysmon.cc` starts a detached background thread when `getCpuInfo()` is called.
  • `sysmon.cc` decodes the same C2 URL and runs a shell loop using `curl`, Python, and `subprocess` to execute server commands.
  • `package.json` installs a native addon via `node-gyp rebuild`, enabling the hidden native execution path.
Evidence against
  • `binding.gyp` only declares the local `sysmon.cc` addon build target.
  • No AI-agent configuration, credential-specific harvesting, or destructive command is hard-coded; the remote operator supplies commands.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.22 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.install = node-gyp rebuild
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
binding.gypView file
path = binding.gyp kind = build_helper sizeBytes = 171 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

binding.gypView on unpkg

Findings

1 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem