-= Per source details. Do not edit below this line.=-
Package.json declares "postinstall": "node setup.js", so setup.js runs automatically on npm install. The script assembles the strings shelljs and exec from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org (/getKey.php and /generateRandomKey.php) whose values are stored as concatenated base64 fragments (securityKey1), decrypts the response with a hardcoded AES salt, and passes the resulting string to shelljs.exec on the installer's host. The package presents itself as a typosquat of sync-exec ("Synchronous exec with status code support"), and js/syncgrove.js mirrors the sync-exec implementation as a decoy. The combination of hardcoded remote HTTP endpoints, runtime-assembled module/method names, encrypted payload staging, and shell execution at install time is a supply-chain dropper: whatever command the attacker serves runs with the installer's privileges on npm install.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:35:30Z",
"sha256": "1c57339261b245f25fe1c0a8c553fc51e054f2a3905e6c8810ae9260640141b9",
"versions": [
"1.0.2"
],
"import_time": "2026-07-16T18:54:00.398791815Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010708"
},
{
"modified_time": "2026-07-16T18:35:11Z",
"sha256": "65248cd6e2924b6485824bcf382441e39d5e09860bc1e849aee0d6d289d184fb",
"versions": [
"1.0.1"
],
"import_time": "2026-07-16T18:54:00.321902303Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010706"
},
{
"modified_time": "2026-07-16T18:35:46Z",
"sha256": "f12adf46d43c2bba759fa37315f487d4343ee9e3106e94d938feedcfb7c86bdf",
"versions": [
"1.0.0"
],
"import_time": "2026-07-16T18:54:00.437539846Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010709"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "sync-grove-1.0.2.tgz",
"hashes": {
"sha1": "e54673928510dfff3029189614bf8b1a60b24e4f",
"sha512_sri": "sha512-YZvhlI+2D40LzzzTiV1E4Mx9jubANZoMOB1usjJ1pvYuUCVZWR58Atboy/+KW4njEz7wOIobZR8QgzH20lJLkg=="
}
}
],
"evidence_files": [
{
"tlsh": "d821df463c3e64a283b04ad7f536e44eda1b8f0b2121c3b376dd19494f5d800ad129f0",
"sha256": "98b95bc28376ba79784d76d83ecb40aa422c744b71548c71d7b69f7756bb337e",
"path": "setup.js"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sync-grove/MAL-2026-10749.json"