@appupdate/cdn-sync @1.0.3

Summary

Package @appupdate/cdn-sync ships as a thin koffi wrapper around prebuilt Go cgo native libraries (~12MB linux.so, ~11MB darwin.dylib for x64/arm64). The JS surface exports ProbeStart(knock) / ProbeStop / ProbeRunning / ProbeLastError , where ProbeStart requires a caller-supplied passphrase that must match a value compiled into the native binary (per the source comment: 'knock must match the BuiltinKnock compiled into native'). The README explicitly states that endpoints and authentication are encapsulated inside the native binary so installers cannot inspect them. Strings inside the shipped binaries reference Tencent Cloud Object Storage endpoints ( cos.myqcloud.com , tencentcos.cn , https://%s.cos.%s.myqcloud.com ), indicating the worker is linked against the Tencent COS SDK with destination bucket and credentials embedded in opaque bytes. The advertised purpose (CDN static-asset sync) does not match the only exported symbol family ( Probe* ), and publisher metadata is an unfilled placeholder ( github.com/your-org/appupdate.git , license UNLICENSED, generic @appupdate scope) providing no verifiable identity. The combination of a passphrase-gated activation path, deliberately hidden destination and credentials inside a shipped binary, doc-mismatched cover story, and placeholder publisher metadata is the structural shape of a covert uploader / backdoor: once an installer or downstream caller invokes ProbeStart with the right knock, attacker-controlled code executes on the installer's machine against a Tencent COS bucket the installer cannot see or audit.

Source: amazon-inspector (445a7b613694730e29915d732e3df0700d145622b279b62b0a141c76211e6f14)