MAL-2026-4518

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheaty-sync-bot/MAL-2026-4518.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4518
Published
2026-05-19T17:04:16Z
Modified
2026-05-26T06:02:20.050640574Z
Summary
Malicious code in cheaty-sync-bot (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4)

cheaty-sync-bot ships a clipboard-sync CLI that hardcodes a single Telegram bot token (index.js:10) owned by the package author. There is no configuration path for installers to supply their own bot — every user of this tool connects to the same author-controlled relay. Two concrete harms result: (1) Silent-relay: clipboard contents (text and images) and installer chat identifiers flow through the author's Telegram bot, giving the author visibility into every installer's session via getUpdates polling. (2) Backdoor / remote code execution: incoming Telegram messages are interpolated into a PowerShell command (powershell -Command "Set-Clipboard -Value \"${escapedText}\"") at index.js:31-34 and passed to exec(). The escaping only replaces double quotes with backtick-quotes; PowerShell metacharacters such as backticks, $(...) subexpressions, and newlines are not sanitized, so anyone holding the bot token (the author, or anyone who obtains it) can send a crafted message to any installer running the CLI and achieve arbitrary command execution on the Windows host.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-003204",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-19T17:04:16Z",
            "source": "amazon-inspector",
            "sha256": "45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4",
            "import_time": "2026-05-26T05:50:12.466472794Z"
        }
    ]
}
References
Credits

Affected packages

npm / cheaty-sync-bot

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "cheaty-sync-bot-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-a0cVqhJSsUUYmBOky2GPTlJX/9UvURYFmc+Gq+WZJMaq56sUCu/Q4Png/Ca/KHLYgSWmSQZIATUP5vXCxTrYrQ==",
                "sha1": "31339eb9bd47fdd7252eb146d3ef168e1981482f"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "81fd7c45bae08d774166951d6635741ae0a31fd6ef4b853ebae90f11111386cf",
            "tlsh": "8dc144960dff9529413364aad71ba01a3016e13b3508da68bdccd3a25f4173859fabfc"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheaty-sync-bot/MAL-2026-4518.json"