koishi-plugin-fusheng-car @1.0.6
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4594
Ecosystem
npm
Summary
lib/index.js contains a hardcoded base64-encoded QQ user ID ('Mjc1OTcyMDE2MQ==' decoding to '2759720161') checked inside the plugin's permission gate. When that ID matches the calling user, the function returns true and bypasses the operator's configured admin list and group-role checks, granting that account full control of the plugin's countdown task commands (start/stop/pause) on any bot that installs this plugin. The base64 wrapping has no functional purpose other than concealing the ID from casual review of the source. The plugin operator has not consented to a third party having admin-level authority over their bot, and the obfuscation indicates the author intended to hide the bypass.
Source: amazon-inspector (35bbb2f7cdae32f1a5012363b81298fd339c96b83718db535d77c0bdc0f936ec)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.