OSV ID
MAL-2026-4678
Ecosystem
npm
Summary
Package self-describes as a 'System binary configuration tool' but on invocation (CLI/bin entry or require) it silently bootstraps a full surveillance stack on Windows. index.js:42-47 uses winget and, as fallback, curls https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe to %TEMP% and runs the installer with /quiet InstallAllUsers=0 PrependPath=1 to avoid UAC and any visible UI. It then pip-installs keyboard , pyperclip , mss , pyautogui , uiautomation , and comtypes — the canonical keylogger / clipboard-scrape / screen-capture / UI-automation library set — and spawns a pyarmor 9.2.4 trial-encrypted pointer.py (loaded via pyarmor_runtime_000000.__pyarmor__ from a 624 KB native.pyd) with shell:false and a comment explicitly noting the goal of running without a CMD window. The actual capture/exfil logic is hidden inside the pyarmor blob and cannot be reviewed. The package's stated purpose, generic keywords, and placeholder author 'ABC' do not match observed behavior — a cover story for a Windows surveillance dropper.
Source: amazon-inspector (b1f5d271eb72dffa8868b2701aeb4aa7799ee9d7294f342e14682b6675114077)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.