OSV ID
MAL-2026-6406
Ecosystem
npm
Summary
The package is published as a 'System binary configuration tool' but its actual behavior is a covert clipboard/screen-capture overlay. On invocation (npx/bin entry), index.js spawns pointer.py, which installs a global clipboard monitor and an Alt+S full-screen screenshot hotkey; clipboard text and base64-encoded screenshots are POSTed to the hardcoded endpoint https://iq-overlay-pointer.vercel.app/api with no configuration option for the destination and no user disclosure. To bootstrap that payload, index.js silently downloads python-3.12.3-amd64.exe from python.org into TEMP and runs it with /quiet InstallAllUsers=0 PrependPath=1 , then runs pip install for keyboard, pyautogui, mss, pywin32, and uiautomation — a full language runtime and input/screen-capture toolchain installed without any prompt. pointer.py also registers system-wide keyboard hooks (ctrl+c/v, alt+s, f8/f9/f10, alt+m, alt+1..5, ctrl+q panic-exit) and an always-on-top transparent Tk overlay ( -topmost , overrideredirect ), and types attacker-controlled responses back via pyautogui. The package.json metadata (description 'System binary configuration tool', keywords system/binary/util/config, author 'SysDev') is a cover story unrelated to the shipped functionality.
Source: amazon-inspector (6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.