MAL-2026-10680

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syncgrove/MAL-2026-10680.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10680
Published
2026-07-15T10:51:05Z
Modified
2026-07-15T11:49:26.106090856Z
Summary
Malicious code in syncgrove (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494)

The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during npm install. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010675",
            "import_time": "2026-07-15T11:33:40.202874818Z",
            "sha256": "6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494",
            "versions": [
                "1.4.0"
            ],
            "modified_time": "2026-07-15T10:51:05Z"
        }
    ]
}
References
Credits

Affected packages

npm / syncgrove

Package

Affected ranges

Affected versions

1.*
1.4.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syncgrove/MAL-2026-10680.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "syncgrove-1.4.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-n3rCTAbNu8cMB3tHwsXtjJe13BvAuq4RB/ZbQgy80frk9ydN/LK0XbiEOsksUqwkrVhM42ZVvWcbxpUY0K7E6Q==",
                "sha1": "2d9d93293db029143d3aeb793a2fedd4815f7a6c"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "83c12a85d76c16a454adfe112fae3e06001b9fea4c3e5f38c3f97cbd46cf90eb",
            "tlsh": "ff11aa46383ba4b6c7f04bd3383be80de92b4e162341c397bbdd1a08df98811d8528d4"
        }
    ]
}