MAL-2026-10680
Malicious code in syncgrove (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494) The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during `npm install`. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for syncgrove (npm). Pin to a known-safe version or switch to an alternative.