registry  /  permcserver  /  1.0.0

permcserver@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10489 confirms this npm version as malicious. The package's `main` (index.js) is a 10-line FFI shim that spawns a worker, dlopens the bundled `lib-linux.so` via koffi, and immediately invokes the native entrypoint `vserver_start()`. The.so implements a VLESS-over-WebSocket proxy server: it performs the WebSocket handshake using the standard GUID `258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, authenticates clients with a hardcoded UUID...

Advisory
MAL-2026-10489
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in permcserver (npm)
Details
The package's `main` (index.js) is a 10-line FFI shim that spawns a worker, dlopens the bundled `lib-linux.so` via koffi, and immediately invokes the native entrypoint `vserver_start()`. The.so implements a VLESS-over-WebSocket proxy server: it performs the WebSocket handshake using the standard GUID `258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, authenticates clients with a hardcoded UUID (`4916e0f58abc4ad4ba5d158582c60d85`), and services outbound `CONNECT %s HTTP/1.1` requests with SOCKS5/HTTP upstream proxy support — turning the installer's host into an attacker-authenticated TCP relay on the moment the package is required. The package exports no library API; starting the proxy listener is the sole effect of importing it. The binary also enumerates hosting-panel port environment variables (`PTERODACTYL_PORT`, `MC_PORT`, `MINECRAFT_PORT`, `GAME_PORT`) and embeds a decoy `:: SYSTEM ONLINE::` / `MINECRAFT SERVER` HTML page — cover-story content consistent with the package name's implied Pterodactyl/Minecraft server helper purpose, which does not match the actual proxy-backdoor payload. Symbol strings `vless_ws.c`, `relay_thread`, and `dial_tcp` are present in the stripped.so. Requiring or loading this package gives whoever knows the hardcoded UUID persistent, authenticated tunneling access through the installer's machine and the ability to execute arbitrary native code in the Node process.
Decision reason
OpenSSF Malicious Packages via OSV confirms permcserver@1.0.0 as malicious (MAL-2026-10489): Malicious code in permcserver (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory