agentsync-tool @1.0.1

Summary

The package advertises itself as a zero-dependency pure-JS markdown sync tool (~150 lines) but ships an undocumented 2.9MB Windows PE binary at bin/native/parser.node (sha256 b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3) with no source, no binding.gyp, and no mention in README or CHANGELOG. src/index.js lines 30-34 attempt to load this binary via process.dlopen(module, p) at module load time under the comment 'Load native parser for performance'. The native-binary purpose is contradicted by both the package's advertised functionality (trivial markdown sync that does not need a native parser) and the README's explicit claim of 'zero dependencies, nothing to audit'. Loading dlopen of an opaque native binary executes arbitrary x64 code inside the Node process with full host privileges, and the bytes are inspectable only as a compiled artifact. Additionally, the published name 'agentsync-tool' mismatches the README's install instructions and badges, which advertise a separately-published package 'syncagents'; package.json's repository URL points at a non-git npm package page ('git+https://www.npmjs.com/package/syncagents.git'), and the author is a generic 'agentsync contributors'. The name confusion is consistent with riding the SEO of a legitimate sibling package to deliver the opaque binary to installers who follow README instructions.

Source: amazon-inspector (430fd9891020d33aa720cede12887f97615ac764bd8af19dc27f18bba4729c38)