{"id":"MAL-2026-6406","summary":"Malicious code in syspo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c)\nThe package is published as a 'System binary configuration tool' but its actual behavior is a covert clipboard/screen-capture overlay. On invocation (npx/bin entry), index.js spawns pointer.py, which installs a global clipboard monitor and an Alt+S full-screen screenshot hotkey; clipboard text and base64-encoded screenshots are POSTed to the hardcoded endpoint https://iq-overlay-pointer.vercel.app/api with no configuration option for the destination and no user disclosure. To bootstrap that payload, index.js silently downloads python-3.12.3-amd64.exe from python.org into TEMP and runs it with `/quiet InstallAllUsers=0 PrependPath=1`, then runs `pip install` for keyboard, pyautogui, mss, pywin32, and uiautomation — a full language runtime and input/screen-capture toolchain installed without any prompt. pointer.py also registers system-wide keyboard hooks (ctrl+c/v, alt+s, f8/f9/f10, alt+m, alt+1..5, ctrl+q panic-exit) and an always-on-top transparent Tk overlay (`-topmost`, `overrideredirect`), and types attacker-controlled responses back via pyautogui. The package.json metadata (description 'System binary configuration tool', keywords system/binary/util/config, author 'SysDev') is a cover story unrelated to the shipped functionality.\n","modified":"2026-06-24T22:46:22.819484900Z","published":"2026-06-24T22:18:31Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"id":"IN-MAL-2026-007446","import_time":"2026-06-24T22:32:48.50051046Z","modified_time":"2026-06-24T22:18:31Z","sha256":"6f89c590b7c90182cb86bc3e45f71f2357003f4359b6e94818fc996951762f5c","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/syspo/v/1.0.0"}],"affected":[{"package":{"name":"syspo","ecosystem":"npm","purl":"pkg:npm/syspo"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"pointer.py","sha256":"371774d6ebf4d4e28659c69390d5436666750eaac8c8a704161d6757d85c86c6","tlsh":"8af22e09ec1c089ac073cd2f5952a853ff1a07439a5eda17f8bc99901f743468ae4ef9"},{"path":"index.js","sha256":"dd63a58755fb0ff2919a9debd8e6adb710a9f755454c10e766920dec788c4c33","tlsh":"69814f065a95a234ed7247a99b07212be517a063a100e69cbdbe83840f76945c073fee"},{"tlsh":"e5e04f33c9615ca344b58aa29a368a05b5b18b3f00254c0f30bb501c97a29a245bab6c","path":"package.json","sha256":"2ee8c935c832a1450d47818b8a30c1d50e93731d0332937a29b5364ece78ef94"}],"package_integrity":[{"hashes":{"sha1":"a19e372a1c6f7b7a9c4704254a108d6eddbbda35","sha512_sri":"sha512-cjZ+w12qnV0dJY1UfDC5MXXwqpQvXEa+k92yLWeUhcW9Sa08v5WIVVaNRQLjbyytoR3txRmpGjY2pD3VwddRMA=="},"filename":"syspo-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/syspo/MAL-2026-6406.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}