MAL-2026-10749
Malicious code in sync-grove (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (65248cd6e2924b6485824bcf382441e39d5e09860bc1e849aee0d6d289d184fb) Package.json declares `"postinstall": "node setup.js"`, so `setup.js` runs automatically on `npm install`. The script assembles the strings `shelljs` and `exec` from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org (`/getKey.php` and `/generateRandomKey.php`) whose values are stored as concatenated base64 fragments (`securityKey1`), decrypts the response with a hardcoded AES salt, and passes the resulting string to shelljs.exec on the installer's host. The package presents itself as a typosquat of `sync-exec` ("Synchronous exec with status code support"), and `js/syncgrove.js` mirrors the sync-exec implementation as a decoy. The combination of hardcoded remote HTTP endpoints, runtime-assembled module/method names, encrypted payload staging, and shell execution at install time is a supply-chain dropper: whatever command the attacker serves runs with the installer's privileges on `npm install`.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for sync-grove (npm). Pin to a known-safe version or switch to an alternative.