node-as-api @2.1.6
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10742
Ecosystem
npm
Summary
On npm install, package.json's postinstall hook runs node test.js , which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files ( id.json , config.toml , Config.toml , env , .env ) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1. The second fetches remote-controlled scan patterns from http://170.205.31.203:3001/api/scan-patterns, walks the entire user home directory on Unix or every drive including C:\Users on Windows, and multipart-uploads matching files with username and platform metadata to http://170.205.31.203:3001/api/v1. On Linux, the same routine downloads an attacker-supplied public key from http://170.205.31.203:3001/api/ssh-key, appends it to $HOME/.ssh/authorized_keys , and runs sudo ufw enable / sudo ufw allow 22/tcp to open inbound SSH. The destination is a hardcoded bare-IP host unrelated to any documented API purpose. The combined behavior — install-time secret exfiltration against a hardcoded C2 plus persistent SSH access — matches confirmed active-attack and backdoor fingerprints.
Source: amazon-inspector (616f74a5722026c25913e644651f1edc57ccb3ca2a6145c1543ff802b3b883b9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.