Supply-chain threat intelligence

Incident detail

criticalnpm·crypto miner·osv

Malicious code in syncgrove (npm)

syncgrove

Risk score

92

AI summary

Indexed incident for syncgrove (npm).

Description

The package's postinstall lifecycle script contacts a hardcoded plain-HTTP endpoint at http://player.sweeprovider.org, retrieves a key via /getKey.php and an AES-CBC encrypted payload via /generateRandomKey.php, decrypts the payload using CryptoJS with a hardcoded key suffix, and passes the resulting string to child_process.exec. This causes attacker-supplied, mutable, obfuscated shell content to run automatically on the installer's machine during npm install. The package's README presents it as a trivial 'greet' module, which does not match the actual install-time behavior. The remote host is unauthenticated and served over plain HTTP, so the fetched command body is both attacker-mutable and MITM-modifiable.

Technical details

Affected versions

=1.4.0

Indicators

  • affected version=1.4.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents