Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

node-procmetricsnpm

Malicious code in node-procmetrics (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10445
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall node-procmetrics

What this malware does

install.js executes automatically via the package.json postinstall hook. It XOR-decodes (key 0x5A) a hardcoded npm registry auth token and writes it into the installer's global npm config at //registry.npmjs.org/:_authToken, replacing the installer's own npm authentication with an attacker-controlled identity. It then polls registry.npmjs.org for this package's dist-tags, base64-decodes the 'cmd' field, and executes the resulting string via spawnSync('bash', ['-c', cmd],...) in an infinite loop, giving the publisher arbitrary shell execution on any machine that installs the package. The output and exit code of each executed command are base64-encoded, placed into a synthesized package.json description field under /tmp/pm-pkg, and pushed back to the public npm registry via 'npm publish --access public' using the hijacked token, using the registry itself as the exfiltration channel. For persistence, install.js copies itself to /tmp/.pm-agent.js and spawns a detached, unref'd Node process pointing at that file, so the polling loop survives past the npm install invocation. The combination of covert channel via dist-tags, XOR-obfuscated embedded credential, credential replacement in the installer's npm config, and detached persistent process is unambiguous backdoor behavior at install time.

Malicious versions

9 flagged
1.0.11.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.9

Indicators of compromise (SHA-256)

4d10c5997cd06995b3dc8ff8ca6798291f3cc517004d2988b8b7e9b23aa882c2
e41a88d3fab17af2429cc051cce026d47622123ce4005d3fbdda844dfca2783a
ec7a93ad727eb20b9987d469bd9c1c9885ccfe5ecac9f63c92533c39fdc9a89c
745e0484fcd3bb5744be7b89107df02e154151766df41f5342bb3d254a6bfaf2
8f214c46f243f81d8f8d1bf442c6ddca8e95504b06c03d0d4e4ea277f6e6380d
c7db9e51eaaff07cb242f7e8c3e55372eaf117bd3de26d4afd8699d819583222
ca5a4d93f2a1af3a3535ab75ee6af1743aa0cc1a2aa6cb2481ab9a84ee7c2b11
cbf90f128705bbda30cd157d15dce3a518690058121c9d7e93602d7223753084
d2e4ccb828d2b993f38efd1560ceacb99bec404cfaa4cf977f7897f494c2d1e3

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for node-procmetrics (9 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging node-procmetrics across your stack and pipelines.

  2. If you installed it — respond

    node-procmetrics is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If node-procmetrics was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks node-procmetrics before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. node-procmetrics on npm has been identified as a malicious package (versions 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, and 1 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010237IN-MAL-2026-010236IN-MAL-2026-010234IN-MAL-2026-010241IN-MAL-2026-010233IN-MAL-2026-010235IN-MAL-2026-010238IN-MAL-2026-010232IN-MAL-2026-010231

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks node-procmetrics-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.