{"id":"MAL-2026-10445","summary":"Malicious code in node-procmetrics (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a)\ninstall.js executes automatically via the package.json postinstall hook. It XOR-decodes (key 0x5A) a hardcoded npm registry auth token and writes it into the installer's global npm config at //registry.npmjs.org/:_authToken, replacing the installer's own npm authentication with an attacker-controlled identity. It then polls registry.npmjs.org for this package's dist-tags, base64-decodes the 'cmd' field, and executes the resulting string via spawnSync('bash', ['-c', cmd],...) in an infinite loop, giving the publisher arbitrary shell execution on any machine that installs the package. The output and exit code of each executed command are base64-encoded, placed into a synthesized package.json description field under /tmp/pm-pkg, and pushed back to the public npm registry via 'npm publish --access public' using the hijacked token, using the registry itself as the exfiltration channel. For persistence, install.js copies itself to /tmp/.pm-agent.js and spawns a detached, unref'd Node process pointing at that file, so the polling loop survives past the npm install invocation. The combination of covert channel via dist-tags, XOR-obfuscated embedded credential, credential replacement in the installer's npm config, and detached persistent process is unambiguous backdoor behavior at install time.\n","modified":"2026-07-13T15:49:30.697252555Z","published":"2026-07-13T13:59:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"4d10c5997cd06995b3dc8ff8ca6798291f3cc517004d2988b8b7e9b23aa882c2","import_time":"2026-07-13T14:19:32.964817481Z","id":"IN-MAL-2026-010237","modified_time":"2026-07-13T14:00:44Z","versions":["1.0.7"],"source":"amazon-inspector"},{"id":"IN-MAL-2026-010236","modified_time":"2026-07-13T14:00:34Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a","import_time":"2026-07-13T14:19:32.886694136Z"},{"versions":["1.0.5"],"source":"amazon-inspector","sha256":"ec7a93ad727eb20b9987d469bd9c1c9885ccfe5ecac9f63c92533c39fdc9a89c","import_time":"2026-07-13T14:19:32.623385058Z","id":"IN-MAL-2026-010234","modified_time":"2026-07-13T14:00:17Z"},{"sha256":"745e0484fcd3bb5744be7b89107df02e154151766df41f5342bb3d254a6bfaf2","import_time":"2026-07-13T14:19:33.352595298Z","id":"IN-MAL-2026-010241","modified_time":"2026-07-13T14:02:19Z","versions":["1.0.9"],"source":"amazon-inspector"},{"versions":["1.0.4"],"source":"amazon-inspector","sha256":"8f214c46f243f81d8f8d1bf442c6ddca8e95504b06c03d0d4e4ea277f6e6380d","import_time":"2026-07-13T14:19:32.555383223Z","id":"IN-MAL-2026-010233","modified_time":"2026-07-13T14:00:03Z"},{"source":"amazon-inspector","sha256":"c7db9e51eaaff07cb242f7e8c3e55372eaf117bd3de26d4afd8699d819583222","import_time":"2026-07-13T14:19:32.755734536Z","id":"IN-MAL-2026-010235","modified_time":"2026-07-13T14:00:25Z","versions":["1.0.8"]},{"sha256":"ca5a4d93f2a1af3a3535ab75ee6af1743aa0cc1a2aa6cb2481ab9a84ee7c2b11","import_time":"2026-07-13T14:19:33.045137651Z","id":"IN-MAL-2026-010238","modified_time":"2026-07-13T14:00:50Z","versions":["1.0.6"],"source":"amazon-inspector"},{"modified_time":"2026-07-13T13:59:56Z","versions":["1.0.3"],"source":"amazon-inspector","sha256":"cbf90f128705bbda30cd157d15dce3a518690058121c9d7e93602d7223753084","import_time":"2026-07-13T14:19:32.491123161Z","id":"IN-MAL-2026-010232"},{"import_time":"2026-07-13T14:19:32.330246437Z","id":"IN-MAL-2026-010231","modified_time":"2026-07-13T13:59:48Z","versions":["1.0.2"],"source":"amazon-inspector","sha256":"d2e4ccb828d2b993f38efd1560ceacb99bec404cfaa4cf977f7897f494c2d1e3"},{"import_time":"2026-07-13T15:30:31.210994562Z","id":"IN-MAL-2026-010260","modified_time":"2026-07-13T14:22:23Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"78427df6d52276a54adb18106f55aa3d5bbb261808fefe9f66683e8aa441221d"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/node-procmetrics/v/1.0.0"}],"affected":[{"package":{"name":"node-procmetrics","ecosystem":"npm","purl":"pkg:npm/node-procmetrics"},"versions":["1.0.7","1.0.1","1.0.5","1.0.9","1.0.4","1.0.8","1.0.6","1.0.3","1.0.2","1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"node-procmetrics-1.0.7.tgz","hashes":{"sha512_sri":"sha512-54xx/blvdht/Taw6I2qN9sxvXb1Z5xTfGM37lryLXUYwTIV67qDljbxAmrLf6SXWECnvdyrejB7FKRcy9Ulczg==","sha1":"6981ea069616a0978b30d9c01adbec591f9a3efc"}}],"evidence_files":[{"sha256":"0da399938961e048e3d8049cd656c2539c449fb08c2bb47769ee521e00ac0834","tlsh":"55b1859567ff222847f7ea6ce21b951b563be0017549cdd0f98c2a211fc326c96e22d4","path":"install.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-procmetrics/MAL-2026-10445.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}