{"id":"MAL-2026-10428","summary":"Malicious code in sysb1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27)\nThe package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py. pointer.py continuously reads the OS clipboard and captures full-screen images (mss / ImageGrab), base64-encodes them, and POSTs them together with extracted text to a hardcoded author-controlled endpoint at https://iq-overlay-pointer.vercel.app/api. It additionally installs a transparent always-on-top Tk overlay (overrideredirect, transparentcolor 'white', alpha 0.75), registers global suppressing keyboard hooks (keyboard.on_press(..., suppress=True)), and uses uiautomation.WalkControl (maxDepth=14) to extract text from other applications' UI trees within a screen region. Clipboard contents routinely include passwords, tokens, and 2FA codes; screenshots and cross-application UI scraping capture arbitrary sensitive content from other running applications. The declared purpose and generic 'system/binary/util/config' keywords are a deliberate cover story that does not match the shipped behavior.\n","modified":"2026-07-13T09:17:04.224766320Z","published":"2026-07-13T08:10:57Z","database_specific":{"malicious-packages-origins":[{"sha256":"95e8cd8412bd88621ce6b01197ff69e0dc347d017175fcbfe378cdc036407e27","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-009863","import_time":"2026-07-13T09:10:56.016202745Z","modified_time":"2026-07-13T08:10:57Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/sysb1/v/1.0.0"}],"affected":[{"package":{"name":"sysb1","ecosystem":"npm","purl":"pkg:npm/sysb1"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sysb1/MAL-2026-10428.json","indicators":{"evidence_files":[{"path":"pointer.py","sha256":"a095aa6a4b08da23c6f2267bc18fe5f47342a3fa3225309796f54e1935f43207","tlsh":"4af22e09ec1d089ac073cd2f5952a853ff1a07439a5eda17f8bc99901f743468ae4ef9"},{"path":"index.js","sha256":"6044ff1e5d1929c7e31b6e77a4c000ae9400229fbd5733821f88fd2bad8f4cea","tlsh":"de8150075a95a234ed7247a99b07212be517a073b100e69cbcbe83840f76945c073fee"},{"path":"package.json","sha256":"139c49539ac589af5ba968636afa7ab26d48e8329bd119f40f96e3c8dc025731","tlsh":"7ce04f3399615c9344b58aa29a368a05b5718b3f00254c0f31bb511c97a29a245bbb5c"}],"package_integrity":[{"filename":"sysb1-1.0.0.tgz","hashes":{"sha512_sri":"sha512-1CCAnieozV/7MSJ8BwTTmNK2hPScUQa9rDzqdamzfdgJSQFvaOoxeI/9Y1I/Wqm+kDzKhE6i/ZYus4d2Jf4tew==","sha1":"b4f01fdae03300e650abc68fb08988f6dc79d6ed"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}