node-sysmetrics @1.0.1
Vulnerability report · Last retrieved from osv.dev July 13, 2026 at 7:40 AM UTC
OSV ID
MAL-2026-10216
Ecosystem
npm
Summary
On npm install, install.js executes as a postinstall script and drops a detached background Node process at /tmp/.sysm-agent.js that persists after installation. The agent enters an infinite polling loop against registry.npmjs.org, reading the package's own dist-tags for base64-encoded commands, decoding them, and executing them via bash -c on the installer's host. Command output is then base64-encoded and exfiltrated by publishing throwaway public npm packages containing the encoded output in the description field, using a hardcoded npm auth token embedded in install.js. The same token is written into the installer's global npm config at ~/.npmrc via npm config set //registry.npmjs.org/:_authToken , hijacking the installer's package manager credentials. Base64 encoding is used on both the inbound command channel and the outbound result channel to evade casual inspection of registry metadata.
Source: amazon-inspector (e624a951ebd9352b2b8d47bf80d418a01674640ec2d2b2592f00bb446f110c68)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.