OSV Malicious Advisory
scanned 10d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6531 confirms this npm version as malicious. Package @appupdate/cdn-sync ships as a thin koffi wrapper around prebuilt Go cgo native libraries (~12MB linux.so, ~11MB darwin.dylib for x64/arm64)...
Advisory
MAL-2026-6531
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @appupdate/cdn-sync (npm)
Details
Package @appupdate/cdn-sync ships as a thin koffi wrapper around prebuilt Go cgo native libraries (~12MB linux.so, ~11MB darwin.dylib for x64/arm64). The JS surface exports `ProbeStart(knock)` / `ProbeStop` / `ProbeRunning` / `ProbeLastError`, where `ProbeStart` requires a caller-supplied passphrase that must match a value compiled into the native binary (per the source comment: 'knock must match the BuiltinKnock compiled into native'). The README explicitly states that endpoints and authentication are encapsulated inside the native binary so installers cannot inspect them. Strings inside the shipped binaries reference Tencent Cloud Object Storage endpoints (`cos.myqcloud.com`, `tencentcos.cn`, `https://%s.cos.%s.myqcloud.com`), indicating the worker is linked against the Tencent COS SDK with destination bucket and credentials embedded in opaque bytes. The advertised purpose (CDN static-asset sync) does not match the only exported symbol family (`Probe*`), and publisher metadata is an unfilled placeholder (`github.com/your-org/appupdate.git`, license UNLICENSED, generic `@appupdate` scope) providing no verifiable identity. The combination of a passphrase-gated activation path, deliberately hidden destination and credentials inside a shipped binary, doc-mismatched cover story, and placeholder publisher metadata is the structural shape of a covert uploader / backdoor: once an installer or downstream caller invokes `ProbeStart` with the right knock, attacker-controlled code executes on the installer's machine against a Tencent COS bucket the installer cannot see or audit.
Decision reason
OpenSSF Malicious Packages via OSV confirms @appupdate/cdn-sync@1.0.2 as malicious (MAL-2026-6531): Malicious code in @appupdate/cdn-sync (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory