MAL-2026-4595

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/koishi-plugin-fusheng-count/MAL-2026-4595.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4595
Withdrawn
2026-05-26T22:13:04Z
Published
2026-05-25T13:45:35Z
Modified
2026-05-27T00:32:04.207676882Z
Summary
Malicious code in koishi-plugin-fusheng-count (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5)

lib/index.js contains a base64-obfuscated hardcoded user ID (Buffer.from("Mjc1OTcyMDE2MQ==", "base64").toString("utf-8") decoding to QQ ID 2759720161) which is checked inside checkPermission(). When session.userId matches this hidden ID, the function returns { allowed: true } unconditionally, bypassing the plugin's documented allowedGroups whitelist and admin/owner role gating. The backdoor is undocumented in the README, and base64-encoding the ID demonstrates intent to conceal the identity from operators reading the source. Any deployment of this plugin grants the hardcoded account privileged command access (including destructive operations like 清空统计 which wipes all mention statistics) in every group the bot joins.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5",
            "id": "IN-MAL-2026-004651",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T13:45:35Z",
            "versions": [
                "1.0.9"
            ],
            "import_time": "2026-05-26T05:53:01.383620493Z"
        }
    ]
}
References
Credits

Affected packages

npm / koishi-plugin-fusheng-count

Package

Name
koishi-plugin-fusheng-count
View open source insights on deps.dev
Purl
pkg:npm/koishi-plugin-fusheng-count

Affected ranges

Affected versions

1.*
1.0.9

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/koishi-plugin-fusheng-count/MAL-2026-4595.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "801e7743e281f164b4f8627ea6e2c090717140819a8acb3292db7d85a50437c5",
            "tlsh": "9192e72471f72135247390e59ab766863264a203718acd94fffea6108fd6816c1b7fcc",
            "path": "lib/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "koishi-plugin-fusheng-count-1.0.9.tgz",
            "hashes": {
                "sha1": "58b3ec2f29b32ec0235753aa92125a277f6e4efc",
                "sha512_sri": "sha512-LrWkkpbimZLavw5wYXGSkAlAgm6Ye9Nrq8zT0I1+eWwZbaPZBehtIDce+5cwzvG/yGPfDELak7MOv9rO+Mol1g=="
            }
        }
    ]
}