npm

node-sysmon-native @1.0.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10465

Ecosystem

npm

Summary

On module load, index.js reconstructs a hex-encoded URL (Buffer.from('687474703a2f2f3135322e35332e3132302e39302f636d64','hex')) that decodes to http://152.53.120.90/cmd and enters an asynchronous polling loop that GETs /commands from that host, executes each returned command via spawnSync('bash', ['-c', cmd]) with a 55-second timeout and 5MB output buffer, and POSTs the stdout, stderr, and exit code back to /results. Any consumer that require()s this package grants the operator of 152.53.120.90 arbitrary shell execution on the host, with output exfiltration. The destination is a bare IP address reconstructed at runtime from a hex string to hide it from static scanners, and the package's declared 'sysmon-native' purpose provides no legitimate reason for polling a hardcoded remote host for shell commands.

Source: amazon-inspector (612887c8528ff96b3bc3a61d678b6376099480c080d2d8a0960fe7798ac25f33)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.