MAL-2026-6531

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@appupdate/cdn-sync/MAL-2026-6531.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6531
Published
2026-06-26T18:24:34Z
Modified
2026-06-26T19:01:39.128724604Z
Summary
Malicious code in @appupdate/cdn-sync (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (60cf918a652983ae11a7742f3f6413ad5ff40ae2fe6e823368658b7e0c60bd19)

Package presents itself as a CDN static-asset background sync worker, but the shipped ~12MB native libraries (linux-x64.so, darwin-arm64/x64.dylib) export cgo symbols ProbeStart / ProbeStop / ProbeRunning invoked by the JS start(knock) API, and their string tables contain pervasive implant capabilities: c2, reverseShell, socks, persist, setuid, chmod, knock, plus an embedded Tencent COS SDK with URL template https://%s.cos.%s.myqcloud.com and host-validation regex for myqcloud.com / tencentcos.cn. README explicitly states that endpoints and authentication are encapsulated inside the native binary (端点与鉴权等敏感配置封装在 native 二进制内) and references a compiled-in BuiltinKnock — the start(licenseKey) parameter is implant-activation authentication, not a commercial license check. When an installer follows the documented usage, the host activates a hidden agent with reverse-shell / SOCKS-proxy / persistence capability, communicating with hardcoded Tencent COS destinations the installer cannot inspect or configure. Publisher metadata reinforces the cover-story shape: placeholder github.com/your-org/appupdate repo URL, UNLICENSED, generic CDN-sync description, node-probe source directory hint.

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-06-26T18:24:34Z",
            "sha256": "60cf918a652983ae11a7742f3f6413ad5ff40ae2fe6e823368658b7e0c60bd19",
            "id": "IN-MAL-2026-007654",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T18:42:50.121445827Z"
        }
    ]
}
References
Credits

Affected packages

npm / @appupdate/cdn-sync

Package

Name
@appupdate/cdn-sync
View open source insights on deps.dev
Purl
pkg:npm/%40appupdate%2Fcdn-sync

Affected ranges

Affected versions

1.*
1.0.2

Database specific

cwes 
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators 
{
    "package_integrity": [
        {
            "filename": "cdn-sync-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-ssA9K0qVwaru1QLuAT6DP9nrHCV3DlT2WGMgrnN1cjy4fk+tnktufyNmXGCUIMoogZ4kPO0kIYjVc87W1E/aSQ==",
                "sha1": "42723f1d2e416d8dda9edfdf74a457ce56f22d29"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "prebuilds/linux-x64/libprobe.so",
            "tlsh": "87d61847ec6145ddd0bd9231c9629672bab13c495b2063db2b60f7282f73bd06bb9390",
            "sha256": "9b55ce82ece2924f0010a0032a40fbf16d2ae703a969f8a0d01a3755a76352de"
        },
        {
            "path": "README.md",
            "tlsh": "f551e9e5be1939222872d2a005b5b5cf4808a30d87f6ef9c5dbb8b3135f0184599c5bb",
            "sha256": "4161a47b9e43200140a8e4808d6d17ac968f7579b1f953d9a8a1780194688631"
        },
        {
            "path": "package.json",
            "tlsh": "d2014735cc749c2316d8ada45cb71286a1314ca78d087d0933cb606c4fae15b06fe17d",
            "sha256": "b08ef59bea76218a3f541452577fd083e884e8a02834655aaa63cd99b2c4b707"
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@appupdate/cdn-sync/MAL-2026-6531.json"