@appupdate/cdn-sync @1.0.2

Summary

Package presents itself as a CDN static-asset background sync worker, but the shipped ~12MB native libraries (linux-x64.so, darwin-arm64/x64.dylib) export cgo symbols ProbeStart / ProbeStop / ProbeRunning invoked by the JS start(knock) API, and their string tables contain pervasive implant capabilities: c2 , reverseShell , socks , persist , setuid , chmod , knock , plus an embedded Tencent COS SDK with URL template https://%s.cos.%s.myqcloud.com and host-validation regex for myqcloud.com / tencentcos.cn . README explicitly states that endpoints and authentication are encapsulated inside the native binary ( 端点与鉴权等敏感配置封装在 native 二进制内 ) and references a compiled-in BuiltinKnock — the start(licenseKey) parameter is implant-activation authentication, not a commercial license check. When an installer follows the documented usage, the host activates a hidden agent with reverse-shell / SOCKS-proxy / persistence capability, communicating with hardcoded Tencent COS destinations the installer cannot inspect or configure. Publisher metadata reinforces the cover-story shape: placeholder github.com/your-org/appupdate repo URL, UNLICENSED , generic CDN-sync description, node-probe source directory hint.

Source: amazon-inspector (60cf918a652983ae11a7742f3f6413ad5ff40ae2fe6e823368658b7e0c60bd19)