npm

sync-grove @1.0.2

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10749

Ecosystem

npm

Summary

Package.json declares "postinstall": "node setup.js" , so setup.js runs automatically on npm install . The script assembles the strings shelljs and exec from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org ( /getKey.php and /generateRandomKey.php ) whose values are stored as concatenated base64 fragments ( securityKey1 ), decrypts the response with a hardcoded AES salt, and passes the resulting string to shelljs.exec on the installer's host. The package presents itself as a typosquat of sync-exec ("Synchronous exec with status code support"), and js/syncgrove.js mirrors the sync-exec implementation as a decoy. The combination of hardcoded remote HTTP endpoints, runtime-assembled module/method names, encrypted payload staging, and shell execution at install time is a supply-chain dropper: whatever command the attacker serves runs with the installer's privileges on npm install .

Source: amazon-inspector (65248cd6e2924b6485824bcf382441e39d5e09860bc1e849aee0d6d289d184fb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.