node-sysmon-native @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10465
Ecosystem
npm
Summary
On module load, index.js reconstructs a hex-encoded URL (Buffer.from('687474703a2f2f3135322e35332e3132302e39302f636d64','hex')) that decodes to http://152.53.120.90/cmd and enters an asynchronous polling loop that GETs /commands from that host, executes each returned command via spawnSync('bash', ['-c', cmd]) with a 55-second timeout and 5MB output buffer, and POSTs the stdout, stderr, and exit code back to /results. Any consumer that require()s this package grants the operator of 152.53.120.90 arbitrary shell execution on the host, with output exfiltration. The destination is a bare IP address reconstructed at runtime from a hex string to hide it from static scanners, and the package's declared 'sysmon-native' purpose provides no legitimate reason for polling a hardcoded remote host for shell commands.
Source: amazon-inspector (612887c8528ff96b3bc3a61d678b6376099480c080d2d8a0960fe7798ac25f33)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.