{"id":"MAL-2026-4518","summary":"Malicious code in cheaty-sync-bot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4)\ncheaty-sync-bot ships a clipboard-sync CLI that hardcodes a single Telegram bot token (index.js:10) owned by the package author. There is no configuration path for installers to supply their own bot — every user of this tool connects to the same author-controlled relay. Two concrete harms result: (1) Silent-relay: clipboard contents (text and images) and installer chat identifiers flow through the author's Telegram bot, giving the author visibility into every installer's session via getUpdates polling. (2) Backdoor / remote code execution: incoming Telegram messages are interpolated into a PowerShell command (`powershell -Command \"Set-Clipboard -Value \\\"${escapedText}\\\"\"`) at index.js:31-34 and passed to `exec()`. The escaping only replaces double quotes with backtick-quotes; PowerShell metacharacters such as backticks, `$(...)` subexpressions, and newlines are not sanitized, so anyone holding the bot token (the author, or anyone who obtains it) can send a crafted message to any installer running the CLI and achieve arbitrary command execution on the Windows host.\n","modified":"2026-05-26T06:02:20.050640574Z","published":"2026-05-19T17:04:16Z","database_specific":{"malicious-packages-origins":[{"sha256":"45b192c71c59ccca1d9cc720372bd29f39eae8b5da4d572cd1e8312d6b57d6b4","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-003204","import_time":"2026-05-26T05:50:12.466472794Z","modified_time":"2026-05-19T17:04:16Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cheaty-sync-bot/v/1.0.0"}],"affected":[{"package":{"name":"cheaty-sync-bot","ecosystem":"npm","purl":"pkg:npm/cheaty-sync-bot"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"index.js","sha256":"81fd7c45bae08d774166951d6635741ae0a31fd6ef4b853ebae90f11111386cf","tlsh":"8dc144960dff9529413364aad71ba01a3016e13b3508da68bdccd3a25f4173859fabfc"}],"package_integrity":[{"hashes":{"sha1":"31339eb9bd47fdd7252eb146d3ef168e1981482f","sha512_sri":"sha512-a0cVqhJSsUUYmBOky2GPTlJX/9UvURYFmc+Gq+WZJMaq56sUCu/Q4Png/Ca/KHLYgSWmSQZIATUP5vXCxTrYrQ=="},"filename":"cheaty-sync-bot-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cheaty-sync-bot/MAL-2026-4518.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}