npm

permcserver @1.0.3

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10489

Ecosystem

npm

Summary

The package's main (index.js) is a 10-line FFI shim that spawns a worker, dlopens the bundled lib-linux.so via koffi, and immediately invokes the native entrypoint vserver_start() . The.so implements a VLESS-over-WebSocket proxy server: it performs the WebSocket handshake using the standard GUID 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 , authenticates clients with a hardcoded UUID ( 4916e0f58abc4ad4ba5d158582c60d85 ), and services outbound CONNECT %s HTTP/1.1 requests with SOCKS5/HTTP upstream proxy support — turning the installer's host into an attacker-authenticated TCP relay on the moment the package is required. The package exports no library API; starting the proxy listener is the sole effect of importing it. The binary also enumerates hosting-panel port environment variables ( PTERODACTYL_PORT , MC_PORT , MINECRAFT_PORT , GAME_PORT ) and embeds a decoy :: SYSTEM ONLINE:: / MINECRAFT SERVER HTML page — cover-story content consistent with the package name's implied Pterodactyl/Minecraft server helper purpose, which does not match the actual proxy-backdoor payload. Symbol strings vless_ws.c , relay_thread , and dial_tcp are present in the stripped.so. Requiring or loading this package gives whoever knows the hardcoded UUID persistent, authenticated tunneling access through the installer's machine and the ability to execute arbitrary native code in the Node process.

Source: amazon-inspector (cf9fcdfd2e40ddb8c0aef4fa0fb93f2d0bcf3b0c00104057076f8013a70812d6)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.