npm

netcontrol-agent @1.0.5

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10741

Ecosystem

npm

Summary

netcontrol-agent.js implements a remote agent that long-polls a configured server URL and pipes the returned bytes directly into an interactive shell's stdin (cmd.exe on Windows, $SHELL or /bin/bash -i on Linux), while streaming stdout/stderr back to the server's /session/<id>/output endpoint. The relayLoop auto-attaches to any session the server advertises, so whoever controls NC_SERVER_URL obtains full interactive command execution on every host running the agent. The --install path escalates blast radius by writing a systemd unit that runs the agent as root, or a Windows scheduled task with /RU SYSTEM /RL HIGHEST /SC ONSTART, providing boot persistence at maximum privilege. An NC_AUTO_UPDATE mode downloads a replacement agent script from the same server and atomically overwrites AGENT_PATH, letting the server push arbitrary new code to installed hosts on the next poll. Collected host identifiers (os.hostname(), version) are also POSTed to the server. The remote-shell-plus-persistence-plus-self-update composition is a full backdoor mechanism regardless of the package's self-description.

Source: amazon-inspector (967b375e5686bd1eab74838f00cd21c2a8e15291f03a8140b494a83052fd2a92)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.