MAL-2026-10428

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysb1/MAL-2026-10428.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10428
Published
2026-07-13T08:10:57Z
Modified
2026-07-13T09:17:04.224766320Z
Summary
Malicious code in sysb1 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27)

The package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py. pointer.py continuously reads the OS clipboard and captures full-screen images (mss / ImageGrab), base64-encodes them, and POSTs them together with extracted text to a hardcoded author-controlled endpoint at https://iq-overlay-pointer.vercel.app/api. It additionally installs a transparent always-on-top Tk overlay (overrideredirect, transparentcolor 'white', alpha 0.75), registers global suppressing keyboard hooks (keyboard.on_press(..., suppress=True)), and uses uiautomation.WalkControl (maxDepth=14) to extract text from other applications' UI trees within a screen region. Clipboard contents routinely include passwords, tokens, and 2FA codes; screenshots and cross-application UI scraping capture arbitrary sensitive content from other running applications. The declared purpose and generic 'system/binary/util/config' keywords are a deliberate cover story that does not match the shipped behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009863",
            "import_time": "2026-07-13T09:10:56.016202745Z",
            "modified_time": "2026-07-13T08:10:57Z",
            "sha256": "95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / sysb1

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "a095aa6a4b08da23c6f2267bc18fe5f47342a3fa3225309796f54e1935f43207",
            "tlsh": "4af22e09ec1d089ac073cd2f5952a853ff1a07439a5eda17f8bc99901f743468ae4ef9",
            "path": "pointer.py"
        },
        {
            "sha256": "6044ff1e5d1929c7e31b6e77a4c000ae9400229fbd5733821f88fd2bad8f4cea",
            "tlsh": "de8150075a95a234ed7247a99b07212be517a073b100e69cbcbe83840f76945c073fee",
            "path": "index.js"
        },
        {
            "sha256": "139c49539ac589af5ba968636afa7ab26d48e8329bd119f40f96e3c8dc025731",
            "tlsh": "7ce04f3399615c9344b58aa29a368a05b5718b3f00254c0f31bb511c97a29a245bbb5c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "sysb1-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-1CCAnieozV/7MSJ8BwTTmNK2hPScUQa9rDzqdamzfdgJSQFvaOoxeI/9Y1I/Wqm+kDzKhE6i/ZYus4d2Jf4tew==",
                "sha1": "b4f01fdae03300e650abc68fb08988f6dc79d6ed"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysb1/MAL-2026-10428.json"