MAL-2026-5616
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysbu/MAL-2026-5616.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5616
- Published
- 2026-06-11T06:49:35Z
- Modified
- 2026-06-11T08:01:32.716689175Z
- Summary
- Malicious code in sysbu (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c7d7e10321db9abd5e77b0f656d5fac237968ecd79c0ce409b58ee555fb5b236)
Despite advertising itself as a 'System binary configuration tool', sysbu's index.js unconditionally invokes startApp() on require/CLI execution. If Python is not present, it silently installs Python 3.12 — first via
winget install Python.Python.3.12, falling back to downloading https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe to %TEMP% and running it with/quiet InstallAllUsers=0 PrependPath=1. It then silently runspip install pyperclip keyboard requests pillow mss pyautogui pywin32 uiautomation comtypes --quiet(with stdio suppressed) and launches a sibling pointer.py. pointer.py creates a hidden topmost transparent Tk overlay, pollspyperclip.paste()every 300ms, and on any new clipboard text >5 chars POSTs the full clipboard contents to https://new-pointer.vercel.app/api. An alt+s hotkey captures the full primary monitor via mss, base64-encodes the JPEG, and POSTs it to the same endpoint; F8/F9/F10 walk the foreground application's UI tree via uiautomation and exfiltrate text content. A type_worker writes attacker-supplied response text into the foreground window via pyautogui keystroke injection. ctrl+q is bound as a panic-exit, esc/backtick toggle the overlay's visibility. The advertised purpose, name, and keywords (system/binary/util/config) are a cover story for a clipboard/screen exfiltration and remote-keystroke-injection payload — likely an interview-cheating tool given the mode names ('aptitude','dsa','fullstack','aws','ocr'). Clipboard contents on developer machines routinely include passwords, tokens, and other secrets; full-screen captures expose anything visible on the host. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005655", "versions": [ "1.0.2" ], "sha256": "074576d86fa21528b2813cd44725e41b91aa0219c4724669cd5aabb5d12457a0", "source": "amazon-inspector", "modified_time": "2026-06-11T06:49:35Z", "import_time": "2026-06-11T07:49:37.587887572Z" }, { "id": "IN-MAL-2026-005654", "import_time": "2026-06-11T07:49:37.497547752Z", "sha256": "c7d7e10321db9abd5e77b0f656d5fac237968ecd79c0ce409b58ee555fb5b236", "source": "amazon-inspector", "modified_time": "2026-06-11T06:49:35Z", "versions": [ "1.0.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / sysbu
Package
- Name
- sysbu
- View open source insights on deps.dev
- Purl
- pkg:npm/sysbu
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysbu/MAL-2026-5616.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "pointer.py",
"sha256": "68c4767f15be3ed8563073a099930a4e045e8adcce97f0311334fa5c126f7544",
"tlsh": "b0e2da05ec0d0896c473de2e5852a863ff1a0b435a1e9e57f8bc99905f743078ae4ef9"
},
{
"path": "index.js",
"sha256": "6044ff1e5d1929c7e31b6e77a4c000ae9400229fbd5733821f88fd2bad8f4cea",
"tlsh": "de8150075a95a234ed7247a99b07212be517a073b100e69cbcbe83840f76945c073fee"
},
{
"path": "package.json",
"sha256": "aaba03b3148147407666da4aaa9291b0baf11ecc29643981ac46c4785ef3e747",
"tlsh": "72e04f339a615c9344b44aa29a368a19b5728b3f00254c0f30fb501c97a25a245bbb5c"
}
],
"package_integrity": [
{
"filename": "sysbu-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-1lDbogmqqNggtiq36UuZ7FliKiH40PXsAusTRK+H3C+TcJ16XEfTXZcjmyXARLsWvfihneIRKZHuV3Yf3a0b/Q==",
"sha1": "c3cc1dc780314d78e98ffb3f7b4780c91af84903"
}
}
]
}