MAL-2026-10749

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sync-grove/MAL-2026-10749.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10749
Published
2026-07-16T18:35:11Z
Modified
2026-07-16T19:19:59.896088189Z
Summary
Malicious code in sync-grove (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (65248cd6e2924b6485824bcf382441e39d5e09860bc1e849aee0d6d289d184fb)

Package.json declares "postinstall": "node setup.js", so setup.js runs automatically on npm install. The script assembles the strings shelljs and exec from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org (/getKey.php and /generateRandomKey.php) whose values are stored as concatenated base64 fragments (securityKey1), decrypts the response with a hardcoded AES salt, and passes the resulting string to shelljs.exec on the installer's host. The package presents itself as a typosquat of sync-exec ("Synchronous exec with status code support"), and js/syncgrove.js mirrors the sync-exec implementation as a decoy. The combination of hardcoded remote HTTP endpoints, runtime-assembled module/method names, encrypted payload staging, and shell execution at install time is a supply-chain dropper: whatever command the attacker serves runs with the installer's privileges on npm install.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:35:30Z",
            "sha256": "1c57339261b245f25fe1c0a8c553fc51e054f2a3905e6c8810ae9260640141b9",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-07-16T18:54:00.398791815Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010708"
        },
        {
            "modified_time": "2026-07-16T18:35:11Z",
            "sha256": "65248cd6e2924b6485824bcf382441e39d5e09860bc1e849aee0d6d289d184fb",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-07-16T18:54:00.321902303Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010706"
        },
        {
            "modified_time": "2026-07-16T18:35:46Z",
            "sha256": "f12adf46d43c2bba759fa37315f487d4343ee9e3106e94d938feedcfb7c86bdf",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-16T18:54:00.437539846Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010709"
        }
    ]
}
References
Credits

Affected packages

npm / sync-grove

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "sync-grove-1.0.2.tgz",
            "hashes": {
                "sha1": "e54673928510dfff3029189614bf8b1a60b24e4f",
                "sha512_sri": "sha512-YZvhlI+2D40LzzzTiV1E4Mx9jubANZoMOB1usjJ1pvYuUCVZWR58Atboy/+KW4njEz7wOIobZR8QgzH20lJLkg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "d821df463c3e64a283b04ad7f536e44eda1b8f0b2121c3b376dd19494f5d800ad129f0",
            "sha256": "98b95bc28376ba79784d76d83ecb40aa422c744b71548c71d7b69f7756bb337e",
            "path": "setup.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sync-grove/MAL-2026-10749.json"