registry  /  syncgrove  /  1.4.0

syncgrove@1.4.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10680 confirms this npm version as malicious. The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec...

Advisory
MAL-2026-10680
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in syncgrove (npm)
Details
The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during `npm install`. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.
Decision reason
OpenSSF Malicious Packages via OSV confirms syncgrove@1.4.0 as malicious (MAL-2026-10680): Malicious code in syncgrove (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory