npm

node-as-api @2.1.6

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10742

Ecosystem

npm

Summary

On npm install, package.json's postinstall hook runs node test.js , which loads index.js and immediately invokes two harvest routines. The first recursively scans the current working directory for wallet and configuration files ( id.json , config.toml , Config.toml , env , .env ) and POSTs each file, tagged with the local username, to http://170.205.31.203:3000/api/v1. The second fetches remote-controlled scan patterns from http://170.205.31.203:3001/api/scan-patterns, walks the entire user home directory on Unix or every drive including C:\Users on Windows, and multipart-uploads matching files with username and platform metadata to http://170.205.31.203:3001/api/v1. On Linux, the same routine downloads an attacker-supplied public key from http://170.205.31.203:3001/api/ssh-key, appends it to $HOME/.ssh/authorized_keys , and runs sudo ufw enable / sudo ufw allow 22/tcp to open inbound SSH. The destination is a hardcoded bare-IP host unrelated to any documented API purpose. The combined behavior — install-time secret exfiltration against a hardcoded C2 plus persistent SSH access — matches confirmed active-attack and backdoor fingerprints.

Source: amazon-inspector (616f74a5722026c25913e644651f1edc57ccb3ca2a6145c1543ff802b3b883b9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.