npm

node-fsmetrics-data @1.0.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10479

Ecosystem

npm

Summary

The tarball contains archive-sender.js, which tars the directory /root/.codex, splits the archive into 200MB chunks, and uploads each chunk by running npm publish against a sibling package name (node-procmetrics-data), using an npm registry _authToken that is XOR-obfuscated (hex bytes XOR 0x5A) and written into ~/.npmrc at runtime. The current package's hostname is embedded in the published manifest description. archive-sender.js calls archiveAndSend() at the top level, so require / node on that file triggers the archive-and-publish flow immediately. In this version index.js is empty, package.json declares no lifecycle scripts, and no other file requires archive-sender.js, so a default npm install does not auto-execute the payload — but the payload is fully wired and ships as a ready-to-run file inside the tarball. The obfuscated bundled publish token additionally allows anyone who extracts it to push arbitrary versions to the npm account it belongs to.

Source: amazon-inspector (b67fad1d72f63941a3973df07e6cbd980c9e3c3bbe5041818f58b9be07d6b7e9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.