The disksweep npm package (versions 1.0.0 and 3.0.0) contains a large undocumented Windows PE32+ native binary loaded as a native Node.js addon via process.dlopen, providing full FFI access to the host environment. The package's README falsely claims no runtime dependencies, contradicting the presence of this opaque native code. Metadata fields such as repository and bug URLs are placeholders, and the author is generically listed, suggesting weak attribution. The native binary loader is currently ineffective due to ESM module type conflicts with CommonJS globals, but a minor code change could enable the binary, activating a malicious payload. This constitutes a staged native payload pattern indicative of malicious intent.

If activated, the native binary could execute arbitrary code with the privileges of the Node.js process, potentially compromising the host system. The presence of an opaque native payload with full FFI access poses a significant security risk, including unauthorized code execution and system compromise. Currently, the malicious code is dormant due to module system incompatibilities, but this can be trivially bypassed, exposing users to active exploitation.

No official patch or remediation is currently documented. Users should avoid installing or using disksweep versions 1.0.0 and 3.0.0. Monitor the vendor or package repository for updates or official advisories. Given the package metadata obscures maintainer identity and the package contains a hidden native binary, it is recommended to remove this package from environments and replace it with trusted alternatives. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.