OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10488 confirms this npm version as malicious. On require, index.js spawns a worker that uses koffi FFI to load a file named index.html and invoke its exported vserver_start(). Despite the extension, index.html is an aarch64 Linux ELF shared library built from vless_ws.c; it implements a VLESS-over-WebSocket proxy with a hardcoded client UUID 4916e0f5-8abc-4ad4-ba5d-158582c60d85, accepts WebSocket upgrades, and relays arbitrary attacker-directed TCP CONNECT...
Advisory
MAL-2026-10488
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in permcarmserver (npm)
Details
On require, index.js spawns a worker that uses koffi FFI to load a file named index.html and invoke its exported vserver_start(). Despite the extension, index.html is an aarch64 Linux ELF shared library built from vless_ws.c; it implements a VLESS-over-WebSocket proxy with a hardcoded client UUID 4916e0f5-8abc-4ad4-ba5d-158582c60d85, accepts WebSocket upgrades, and relays arbitrary attacker-directed TCP CONNECT traffic through the installing host. The ELF returns a decoy ':: SYSTEM ONLINE:: MINECRAFT SERVER' HTML page to casual HTTP probes as a cover story. One second after the worker signals 'started', index.js recursively deletes the installed package directory with fs.rmSync(pkgDir, { recursive: true, force: true }), while the loaded native library keeps running in memory. The combination of native ELF masquerading as HTML, FFI load on require, hardcoded VLESS identity, TCP relay capability, and post-activation self-deletion converts the installing host into a covert attacker-controlled proxy relay.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
Filesystem
NoLicense
Source & flagged code
1 flagged · loading sourceindex.htmlView file
•path = index.html
kind = native_binary
sizeBytes = 33784
magicHex = [redacted]
Medium
Findings
1 Medium2 Low
MediumShips Native Binaryindex.html
LowFilesystem
LowNo License