-= Per source details. Do not edit below this line.=-
cheaty-sync-bot ships a clipboard-sync CLI that hardcodes a single Telegram bot token (index.js:10) owned by the package author. There is no configuration path for installers to supply their own bot — every user of this tool connects to the same author-controlled relay. Two concrete harms result: (1) Silent-relay: clipboard contents (text and images) and installer chat identifiers flow through the author's Telegram bot, giving the author visibility into every installer's session via getUpdates polling. (2) Backdoor / remote code execution: incoming Telegram messages are interpolated into a PowerShell command (powershell -Command "Set-Clipboard -Value \"${escapedText}\"") at index.js:31-34 and passed to exec(). The escaping only replaces double quotes with backtick-quotes; PowerShell metacharacters such as backticks, $(...) subexpressions, and newlines are not sanitized, so anyone holding the bot token (the author, or anyone who obtains it) can send a crafted message to any installer running the CLI and achieve arbitrary command execution on the Windows host.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003204",
"versions": [
"1.0.0"
],
"modified_time": "2026-05-19T17:04:16Z",
"source": "amazon-inspector",
"sha256": "45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4",
"import_time": "2026-05-26T05:50:12.466472794Z"
}
]
}[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "cheaty-sync-bot-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-a0cVqhJSsUUYmBOky2GPTlJX/9UvURYFmc+Gq+WZJMaq56sUCu/Q4Png/Ca/KHLYgSWmSQZIATUP5vXCxTrYrQ==",
"sha1": "31339eb9bd47fdd7252eb146d3ef168e1981482f"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "81fd7c45bae08d774166951d6635741ae0a31fd6ef4b853ebae90f11111386cf",
"tlsh": "8dc144960dff9529413364aad71ba01a3016e13b3508da68bdccd3a25f4173859fabfc"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheaty-sync-bot/MAL-2026-4518.json"