MAL-2026-3773

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysbin/MAL-2026-3773.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3773
Published
2026-05-14T19:25:48Z
Modified
2026-05-15T07:51:38.273051Z
Summary
Malicious code in sysbin (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ab8ea4ce073a93a1973a062ac7661ceeaea9c312f9fd67e9acda9936e2b6578)

Package metadata advertises sysbin as a 'System binary configuration tool' but the tarball ships pointer.py, a stealth overlay that runs automatically when index.js executes. index.js calls startApp() unconditionally at the bottom of the main module (triggered by node index.js, the sys-bin bin entry, npm start, or require('sysbin')). If Python is not present, index.js first tries winget install Python.Python.3.12 --silent, and on failure downloads https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe to %TEMP% and runs it with /quiet InstallAllUsers=0 PrependPath=1 — code comments describe this as a 'GHOST INSTALLER' intended to bypass browser/admin prompts. It then pip-installs pyperclip, keyboard, mss, pyautogui, pywin32, and uiautomation and launches pointer.py. pointer.py polls the clipboard every 300ms via pyperclip.paste() and POSTs every change to the hardcoded URL https://iq-overlay-pointer.vercel.app/api (pointer.py:281). It also binds hotkeys that capture full-screen screenshots via mss/ImageGrab, base64-encodes them as JPEG, and POSTs them to the same endpoint (pointer.py:231). The endpoint is hardcoded with no config surface, no documentation, and no consent prompt. Additional stealth features (panic_exit on Ctrl+Q, Esc-to-hide transparent Tk window, keystroke-replay 'mash-to-type' mode) confirm the tool is designed to hide from the machine's user. This is an intentional supply-chain attack: installing and running sysbin exfiltrates clipboard contents and screenshots to an author-controlled host.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:25:48Z",
            "versions": [
                "1.0.34"
            ],
            "sha256": "8ab8ea4ce073a93a1973a062ac7661ceeaea9c312f9fd67e9acda9936e2b6578",
            "id": "IN-MAL-2026-002758",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:19.225288551Z"
        }
    ]
}
References
Credits

Affected packages

npm / sysbin

Package

Name
sysbin
View open source insights on deps.dev
Purl
pkg:npm/sysbin

Affected ranges

Affected versions

1.*
1.0.34

Database specific

indicators 
{
    "evidence_files": [
        {
            "sha256": "fb92fc2bf9a16ef9a4eb4e6ad0c792682d03d6e27c90e4b0d6cb36c1fa0c6be0",
            "tlsh": "87b2714adc0d584ac433cd1f6952b823fb1e43439a5e9917f8bca9901f7431689e4ef9",
            "path": "pointer.py"
        },
        {
            "sha256": "a68b940ab1f3cb8dca48c53f74c11b4b94c81bfbd98566362bb8a5ba2a5a0f7f",
            "tlsh": "c58140075a95a234ed3247ed9b07212be517a0736101e69cbdbe83840f76945c073fee",
            "path": "index.js"
        },
        {
            "sha256": "faf5b2859becc22f2f887a9641e9aa335f943fcfc4237bbf5a694b3f34f84437",
            "tlsh": "7ce04f3389615c5344b94aa29a2a8b15b5729b3f00354c0b30bba01c9ba25b245bab5c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-a+onHkOdpZXFcYQCcOsozLM0Anpn5D2345168v4/z5SnaxgbVEN5lH0INIKxCurxz/MKTMRlxfeY//TuNpPkvw==",
                "sha1": "7c0509088db0d478d4808e276a501039181f6e68"
            },
            "filename": "sysbin-1.0.34.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysbin/MAL-2026-3773.json"