VDB
KO

MAL-2026-10680

Malicious code in syncgrove (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494) The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during `npm install`. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / syncgrove

No fixed version published yet for syncgrove (npm). Pin to a known-safe version or switch to an alternative.

References