{"id":"MAL-2026-4595","summary":"Malicious code in koishi-plugin-fusheng-count (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5)\nlib/index.js contains a base64-obfuscated hardcoded user ID (`Buffer.from(\"Mjc1OTcyMDE2MQ==\", \"base64\").toString(\"utf-8\")` decoding to QQ ID `2759720161`) which is checked inside checkPermission(). When session.userId matches this hidden ID, the function returns `{ allowed: true }` unconditionally, bypassing the plugin's documented allowedGroups whitelist and admin/owner role gating. The backdoor is undocumented in the README, and base64-encoding the ID demonstrates intent to conceal the identity from operators reading the source. Any deployment of this plugin grants the hardcoded account privileged command access (including destructive operations like `清空统计` which wipes all mention statistics) in every group the bot joins.\n","modified":"2026-05-27T00:32:04.207676882Z","published":"2026-05-25T13:45:35Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:01.383620493Z","id":"IN-MAL-2026-004651","versions":["1.0.9"],"source":"amazon-inspector","sha256":"060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5","modified_time":"2026-05-25T13:45:35Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/koishi-plugin-fusheng-count/v/1.0.9"}],"affected":[{"package":{"name":"koishi-plugin-fusheng-count","ecosystem":"npm","purl":"pkg:npm/koishi-plugin-fusheng-count"},"versions":["1.0.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/koishi-plugin-fusheng-count/MAL-2026-4595.json","indicators":{"evidence_files":[{"path":"lib/index.js","sha256":"801e7743e281f164b4f8627ea6e2c090717140819a8acb3292db7d85a50437c5","tlsh":"9192e72471f72135247390e59ab766863264a203718acd94fffea6108fd6816c1b7fcc"}],"package_integrity":[{"filename":"koishi-plugin-fusheng-count-1.0.9.tgz","hashes":{"sha1":"58b3ec2f29b32ec0235753aa92125a277f6e4efc","sha512_sri":"sha512-LrWkkpbimZLavw5wYXGSkAlAgm6Ye9Nrq8zT0I1+eWwZbaPZBehtIDce+5cwzvG/yGPfDELak7MOv9rO+Mol1g=="}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}