syncgrove @1.4.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:52 PM UTC
OSV ID
MAL-2026-10680
Ecosystem
npm
Summary
The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during npm install . The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.
Source: amazon-inspector (6c96b3528ab792944d243b00ae61facc33740850b5cb2ed19671fd6732e43494)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.