MAL-2026-10216: Malicious code in node-sysmetrics (npm)
The node-sysmetrics npm package versions 1.0.0 and 1.0.1 contain malicious code that executes a post-install script dropping a persistent background process. This process polls the npm registry for base64-encoded commands, executes them on the host, and exfiltrates results by publishing throwaway npm packages. It also hijacks the installer's npm credentials by embedding a hardcoded auth token in the global npm config. Systems with this package installed should be considered fully compromised, and all secrets should be rotated from a separate machine.
AI Analysis
Technical Summary
The node-sysmetrics package (versions 1.0.0 and 1.0.1) includes a postinstall script that launches a detached Node.js process at /tmp/.sysm-agent.js. This agent continuously polls the npm registry for commands encoded in base64 within the package's dist-tags, decodes and executes them via bash on the infected host. Command outputs are base64-encoded and exfiltrated by publishing ephemeral public npm packages with the encoded data in the description field, using a hardcoded npm authentication token embedded in the install.js script. The token is also injected into the installer's global npm configuration (~/.npmrc), effectively hijacking the victim's npm credentials. This mechanism enables remote command execution and data exfiltration, indicating a full compromise of the affected system.
Potential Impact
Any system with node-sysmetrics versions 1.0.0 or 1.0.1 installed is fully compromised. The attacker gains persistent remote code execution capabilities and can exfiltrate sensitive data. The attack also hijacks npm credentials, potentially allowing further malicious activity within the victim's npm environment. All secrets and keys stored on the compromised system are at risk and must be rotated from a clean environment.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Immediate removal of node-sysmetrics versions 1.0.0 and 1.0.1 is strongly recommended. Because the system is considered fully compromised, all secrets and credentials stored on the affected machine should be rotated from a separate, trusted device. Monitor for any unauthorized npm packages published using the hijacked credentials. Verify and clean the system thoroughly to remove any residual malicious components.
MAL-2026-10216: Malicious code in node-sysmetrics (npm)
Description
The node-sysmetrics npm package versions 1.0.0 and 1.0.1 contain malicious code that executes a post-install script dropping a persistent background process. This process polls the npm registry for base64-encoded commands, executes them on the host, and exfiltrates results by publishing throwaway npm packages. It also hijacks the installer's npm credentials by embedding a hardcoded auth token in the global npm config. Systems with this package installed should be considered fully compromised, and all secrets should be rotated from a separate machine.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The node-sysmetrics package (versions 1.0.0 and 1.0.1) includes a postinstall script that launches a detached Node.js process at /tmp/.sysm-agent.js. This agent continuously polls the npm registry for commands encoded in base64 within the package's dist-tags, decodes and executes them via bash on the infected host. Command outputs are base64-encoded and exfiltrated by publishing ephemeral public npm packages with the encoded data in the description field, using a hardcoded npm authentication token embedded in the install.js script. The token is also injected into the installer's global npm configuration (~/.npmrc), effectively hijacking the victim's npm credentials. This mechanism enables remote command execution and data exfiltration, indicating a full compromise of the affected system.
Potential Impact
Any system with node-sysmetrics versions 1.0.0 or 1.0.1 installed is fully compromised. The attacker gains persistent remote code execution capabilities and can exfiltrate sensitive data. The attack also hijacks npm credentials, potentially allowing further malicious activity within the victim's npm environment. All secrets and keys stored on the compromised system are at risk and must be rotated from a clean environment.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Immediate removal of node-sysmetrics versions 1.0.0 and 1.0.1 is strongly recommended. Because the system is considered fully compromised, all secrets and credentials stored on the affected machine should be rotated from a separate, trusted device. Monitor for any unauthorized npm packages published using the hijacked credentials. Verify and clean the system thoroughly to remove any residual malicious components.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10216
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-w2wx-f2m6-332m"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54adf568715ace438f7444
Added to database: 07/13/2026, 09:20:53 UTC
Last enriched: 07/13/2026, 09:52:44 UTC
Last updated: 07/13/2026, 09:52:44 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.