registry  /  sysb1  /  1.0.0

sysb1@1.0.0

System binary configuration tool

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10428 confirms this npm version as malicious. The package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py...

Advisory
MAL-2026-10428
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sysb1 (npm)
Details
The package presents itself as a 'System binary configuration tool' but its actual behavior is covert surveillance of the installer. On module load / CLI invocation, index.js silently bootstraps a Python 3.12 runtime (via winget or a /quiet installer downloaded from python.org) and pip-installs a specific library set (keyboard, mss, pyautogui, uiautomation, pyperclip, comtypes, etc.), then spawns pointer.py. pointer.py continuously reads the OS clipboard and captures full-screen images (mss / ImageGrab), base64-encodes them, and POSTs them together with extracted text to a hardcoded author-controlled endpoint at https://iq-overlay-pointer.vercel.app/api. It additionally installs a transparent always-on-top Tk overlay (overrideredirect, transparentcolor 'white', alpha 0.75), registers global suppressing keyboard hooks (keyboard.on_press(..., suppress=True)), and uses uiautomation.WalkControl (maxDepth=14) to extract text from other applications' UI trees within a screen region. Clipboard contents routinely include passwords, tokens, and 2FA codes; screenshots and cross-application UI scraping capture arbitrary sensitive content from other running applications. The declared purpose and generic 'system/binary/util/config' keywords are a deliberate cover story that does not match the shipped behavior.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.08 KB of source, external domains: www.python.org

Source & flagged code

1 flagged · loading source
pointer.pyView file
path = pointer.py kind = build_helper sizeBytes = 37152 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

pointer.pyView on unpkg

Findings

3 Medium4 Low
MediumEnvironment Vars
MediumShips Build Helperpointer.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings