VDB
EN

MAL-2026-10428

Malicious code in sysb1 (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27) The package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py. pointer.py continuously reads the OS clipboard and captures full-screen images (mss / ImageGrab), base64-encodes them, and POSTs them together with extracted text to a hardcoded author-controlled endpoint at https://iq-overlay-pointer.vercel.app/api. It additionally installs a transparent always-on-top Tk overlay (overrideredirect, transparentcolor 'white', alpha 0.75), registers global suppressing keyboard hooks (keyboard.on_press(..., suppress=True)), and uses uiautomation.WalkControl (maxDepth=14) to extract text from other applications' UI trees within a screen region. Clipboard contents routinely include passwords, tokens, and 2FA codes; screenshots and cross-application UI scraping capture arbitrary sensitive content from other running applications. The declared purpose and generic 'system/binary/util/config' keywords are a deliberate cover story that does not match the shipped behavior.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / sysb1

No fixed version published yet for sysb1 (npm). Pin to a known-safe version or switch to an alternative.

참고