registry  /  node-sysmon-native  /  1.0.1

node-sysmon-native@1.0.1

Native system monitoring addon for Node.js

AI Security Review

scanned 5h ago · by lpm-firewall-ai

Importing `index.js` immediately starts a persistent remote-command polling loop. Calling `getCpuInfo()` can also start a detached native C2 agent.

Static reason
One or more suspicious static signals were detected.
Trigger
Module import; additionally `getCpuInfo()` invokes the native agent path.
Impact
An attacker controlling the hard-coded server can execute arbitrary commands as the application user and receive their output.
Mechanism
Remote C2 polling followed by arbitrary `bash -c` execution and result exfiltration.
Attack narrative
On import, `index.js` continuously polls a hard-coded C2 endpoint for commands, executes each through `bash -c`, and sends output back to the server. Its native addon independently contains an obfuscated copy of the endpoint and starts a detached curl/Python/bash agent when `getCpuInfo()` is called. The purported monitoring API provides cover for arbitrary remote code execution.
Rationale
Direct source inspection confirms unconsented remote command-and-control behavior, arbitrary shell execution, and command-output exfiltration. The standard native-build install hook enables the malicious addon but is not required for the JS import-time C2 path.
Evidence
package.jsonindex.jssysmon.ccbinding.gyp/tmp/.sysmon.logbuild/Release/sysmon
Network endpoints2
152.53.120.90/cmd/commands152.53.120.90/cmd/results

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` starts an infinite C2 polling loop on module import.
  • `index.js` fetches commands from `152.53.120.90` and executes them with `bash -c`.
  • `index.js` POSTs command output and exit codes back to the C2.
  • `sysmon.cc` embeds the same C2 URL with XOR obfuscation.
  • `sysmon.cc` launches a detached background curl/Python/bash command agent.
  • The `install` hook builds the native addon that contains this agent.
Evidence against
  • `package.json` describes a system-monitoring addon.
  • The exported API exposes nominal CPU and memory information.
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.47 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.install = node-gyp rebuild
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
binding.gypView file
path = binding.gyp kind = build_helper sizeBytes = 171 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

binding.gypView on unpkg

Findings

1 High3 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumShips Build Helperbinding.gyp
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem