MAL-2026-6406

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syspo/MAL-2026-6406.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6406
Published
2026-06-24T22:18:31Z
Modified
2026-06-24T22:46:22.819484900Z
Summary
Malicious code in syspo (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c)

The package is published as a 'System binary configuration tool' but its actual behavior is a covert clipboard/screen-capture overlay. On invocation (npx/bin entry), index.js spawns pointer.py, which installs a global clipboard monitor and an Alt+S full-screen screenshot hotkey; clipboard text and base64-encoded screenshots are POSTed to the hardcoded endpoint https://iq-overlay-pointer.vercel.app/api with no configuration option for the destination and no user disclosure. To bootstrap that payload, index.js silently downloads python-3.12.3-amd64.exe from python.org into TEMP and runs it with /quiet InstallAllUsers=0 PrependPath=1, then runs pip install for keyboard, pyautogui, mss, pywin32, and uiautomation — a full language runtime and input/screen-capture toolchain installed without any prompt. pointer.py also registers system-wide keyboard hooks (ctrl+c/v, alt+s, f8/f9/f10, alt+m, alt+1..5, ctrl+q panic-exit) and an always-on-top transparent Tk overlay (-topmost, overrideredirect), and types attacker-controlled responses back via pyautogui. The package.json metadata (description 'System binary configuration tool', keywords system/binary/util/config, author 'SysDev') is a cover story unrelated to the shipped functionality.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-24T22:18:31Z",
            "sha256": "6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-06-24T22:32:48.50051046Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007446"
        }
    ]
}
References
Credits

Affected packages

npm / syspo

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "syspo-1.0.0.tgz",
            "hashes": {
                "sha1": "a19e372a1c6f7b7a9c4704254a108d6eddbbda35",
                "sha512_sri": "sha512-cjZ+w12qnV0dJY1UfDC5MXXwqpQvXEa+k92yLWeUhcW9Sa08v5WIVVaNRQLjbyytoR3txRmpGjY2pD3VwddRMA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "8af22e09ec1c089ac073cd2f5952a853ff1a07439a5eda17f8bc99901f743468ae4ef9",
            "sha256": "371774d6ebf4d4e28659c69390d5436666750eaac8c8a704161d6757d85c86c6",
            "path": "pointer.py"
        },
        {
            "tlsh": "69814f065a95a234ed7247a99b07212be517a063a100e69cbdbe83840f76945c073fee",
            "sha256": "dd63a58755fb0ff2919a9debd8e6adb710a9f755454c10e766920dec788c4c33",
            "path": "index.js"
        },
        {
            "tlsh": "e5e04f33c9615ca344b58aa29a368a05b5b18b3f00254c0f30bb501c97a29a245bab6c",
            "sha256": "2ee8c935c832a1450d47818b8a30c1d50e93731d0332937a29b5364ece78ef94",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syspo/MAL-2026-6406.json"