-= Per source details. Do not edit below this line.=-
The package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py. pointer.py continuously reads the OS clipboard and captures full-screen images (mss / ImageGrab), base64-encodes them, and POSTs them together with extracted text to a hardcoded author-controlled endpoint at https://iq-overlay-pointer.vercel.app/api. It additionally installs a transparent always-on-top Tk overlay (overrideredirect, transparentcolor 'white', alpha 0.75), registers global suppressing keyboard hooks (keyboard.on_press(..., suppress=True)), and uses uiautomation.WalkControl (maxDepth=14) to extract text from other applications' UI trees within a screen region. Clipboard contents routinely include passwords, tokens, and 2FA codes; screenshots and cross-application UI scraping capture arbitrary sensitive content from other running applications. The declared purpose and generic 'system/binary/util/config' keywords are a deliberate cover story that does not match the shipped behavior.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009863",
"import_time": "2026-07-13T09:10:56.016202745Z",
"modified_time": "2026-07-13T08:10:57Z",
"sha256": "95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "a095aa6a4b08da23c6f2267bc18fe5f47342a3fa3225309796f54e1935f43207",
"tlsh": "4af22e09ec1d089ac073cd2f5952a853ff1a07439a5eda17f8bc99901f743468ae4ef9",
"path": "pointer.py"
},
{
"sha256": "6044ff1e5d1929c7e31b6e77a4c000ae9400229fbd5733821f88fd2bad8f4cea",
"tlsh": "de8150075a95a234ed7247a99b07212be517a073b100e69cbcbe83840f76945c073fee",
"path": "index.js"
},
{
"sha256": "139c49539ac589af5ba968636afa7ab26d48e8329bd119f40f96e3c8dc025731",
"tlsh": "7ce04f3399615c9344b58aa29a368a05b5718b3f00254c0f31bb511c97a29a245bbb5c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "sysb1-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-1CCAnieozV/7MSJ8BwTTmNK2hPScUQa9rDzqdamzfdgJSQFvaOoxeI/9Y1I/Wqm+kDzKhE6i/ZYus4d2Jf4tew==",
"sha1": "b4f01fdae03300e650abc68fb08988f6dc79d6ed"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysb1/MAL-2026-10428.json"