-= Per source details. Do not edit below this line.=-
The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during npm install. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010675",
"import_time": "2026-07-15T11:33:40.202874818Z",
"sha256": "6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494",
"versions": [
"1.4.0"
],
"modified_time": "2026-07-15T10:51:05Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syncgrove/MAL-2026-10680.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "syncgrove-1.4.0.tgz",
"hashes": {
"sha512_sri": "sha512-n3rCTAbNu8cMB3tHwsXtjJe13BvAuq4RB/ZbQgy80frk9ydN/LK0XbiEOsksUqwkrVhM42ZVvWcbxpUY0K7E6Q==",
"sha1": "2d9d93293db029143d3aeb793a2fedd4815f7a6c"
}
}
],
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "83c12a85d76c16a454adfe112fae3e06001b9fea4c3e5f38c3f97cbd46cf90eb",
"tlsh": "ff11aa46383ba4b6c7f04bd3383be80de92b4e162341c397bbdd1a08df98811d8528d4"
}
]
}