npm

node-procmetrics-data @1.0.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10464

Ecosystem

npm

Summary

node-procmetrics-data@1.0.1 ships archive-sender.js which, at install/execution, tars the installer's root filesystem (excluding /proc, /sys, /dev, /tmp, /run) into /tmp/.archive_*.tar.gz, splits the archive into 200MB chunks, and publishes each chunk as a new version of node-procmetrics-data to the public npm registry. Authentication uses a hardcoded npm _authToken shipped in the package as a hex literal XORed with 0x5A at runtime, and the code writes this token into the installer's npm config via npm config set //registry.npmjs.org/:_authToken . The registry is abused as a covert exfiltration channel, and the shipped token is obfuscated to evade static credential scanners. The publish loop also programmatically writes package.json/data.bin and runs npm publish --access public , extending the attacker's registry footprint from the installer's machine.

Source: amazon-inspector (5ea7e26b73fb4fa21cdd545045f2a360a02d1013efe25cd6ab7aedb1fec72c9b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.