{"id":"MAL-2026-6531","summary":"Malicious code in @appupdate/cdn-sync (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (60cf918a652983ae11a7742f3f6413ad5ff40ae2fe6e823368658b7e0c60bd19)\nPackage presents itself as a CDN static-asset background sync worker, but the shipped ~12MB native libraries (linux-x64.so, darwin-arm64/x64.dylib) export cgo symbols `ProbeStart` / `ProbeStop` / `ProbeRunning` invoked by the JS `start(knock)` API, and their string tables contain pervasive implant capabilities: `c2`, `reverseShell`, `socks`, `persist`, `setuid`, `chmod`, `knock`, plus an embedded Tencent COS SDK with URL template `https://%s.cos.%s.myqcloud.com` and host-validation regex for `myqcloud.com` / `tencentcos.cn`. README explicitly states that endpoints and authentication are encapsulated inside the native binary (`端点与鉴权等敏感配置封装在 native 二进制内`) and references a compiled-in `BuiltinKnock` — the `start(licenseKey)` parameter is implant-activation authentication, not a commercial license check. When an installer follows the documented usage, the host activates a hidden agent with reverse-shell / SOCKS-proxy / persistence capability, communicating with hardcoded Tencent COS destinations the installer cannot inspect or configure. Publisher metadata reinforces the cover-story shape: placeholder `github.com/your-org/appupdate` repo URL, `UNLICENSED`, generic CDN-sync description, `node-probe` source directory hint.\n","modified":"2026-06-26T19:01:39.128724604Z","published":"2026-06-26T18:24:34Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.2"],"import_time":"2026-06-26T18:42:50.121445827Z","modified_time":"2026-06-26T18:24:34Z","source":"amazon-inspector","sha256":"60cf918a652983ae11a7742f3f6413ad5ff40ae2fe6e823368658b7e0c60bd19","id":"IN-MAL-2026-007654"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@appupdate/cdn-sync/v/1.0.2"}],"affected":[{"package":{"name":"@appupdate/cdn-sync","ecosystem":"npm","purl":"pkg:npm/%40appupdate%2Fcdn-sync"},"versions":["1.0.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@appupdate/cdn-sync/MAL-2026-6531.json","indicators":{"evidence_files":[{"path":"prebuilds/linux-x64/libprobe.so","sha256":"9b55ce82ece2924f0010a0032a40fbf16d2ae703a969f8a0d01a3755a76352de","tlsh":"87d61847ec6145ddd0bd9231c9629672bab13c495b2063db2b60f7282f73bd06bb9390"},{"path":"README.md","sha256":"4161a47b9e43200140a8e4808d6d17ac968f7579b1f953d9a8a1780194688631","tlsh":"f551e9e5be1939222872d2a005b5b5cf4808a30d87f6ef9c5dbb8b3135f0184599c5bb"},{"path":"package.json","sha256":"b08ef59bea76218a3f541452577fd083e884e8a02834655aaa63cd99b2c4b707","tlsh":"d2014735cc749c2316d8ada45cb71286a1314ca78d087d0933cb606c4fae15b06fe17d"}],"package_integrity":[{"filename":"cdn-sync-1.0.2.tgz","hashes":{"sha1":"42723f1d2e416d8dda9edfdf74a457ce56f22d29","sha512_sri":"sha512-ssA9K0qVwaru1QLuAT6DP9nrHCV3DlT2WGMgrnN1cjy4fk+tnktufyNmXGCUIMoogZ4kPO0kIYjVc87W1E/aSQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}