registry  /  sync-grove  /  1.0.2

sync-grove@1.0.2

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10749 confirms this npm version as malicious. Package.json declares `"postinstall": "node setup.js"`, so `setup.js` runs automatically on `npm install`. The script assembles the strings `shelljs` and `exec` from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org (`/getKey.php` and `/generateRandomKey.php`) whose values are stored as concatenated base64 fragments (`securityKey1`), decrypts the response with a hardcoded AES...

Advisory
MAL-2026-10749
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sync-grove (npm)
Details
Package.json declares `"postinstall": "node setup.js"`, so `setup.js` runs automatically on `npm install`. The script assembles the strings `shelljs` and `exec` from base64 fragments at runtime, then fetches two plain-HTTP URLs on player.sweeprovider.org (`/getKey.php` and `/generateRandomKey.php`) whose values are stored as concatenated base64 fragments (`securityKey1`), decrypts the response with a hardcoded AES salt, and passes the resulting string to shelljs.exec on the installer's host. The package presents itself as a typosquat of `sync-exec` ("Synchronous exec with status code support"), and `js/syncgrove.js` mirrors the sync-exec implementation as a decoy. The combination of hardcoded remote HTTP endpoints, runtime-assembled module/method names, encrypted payload staging, and shell execution at install time is a supply-chain dropper: whatever command the attacker serves runs with the installer's privileges on `npm install`.
Decision reason
OpenSSF Malicious Packages via OSV confirms sync-grove@1.0.2 as malicious (MAL-2026-10749): Malicious code in sync-grove (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory