Supply-chain threat intelligence
Risk score
92
Indexed incident for syco1 (npm).
Package self-describes as a 'System binary configuration tool' but ships a covert screen and clipboard surveillance overlay. pointer.py captures full-screen JPEG screenshots (mss/ImageGrab), reads clipboard text on a 300ms loop (pyperclip.paste), and scrapes on-screen UI text from arbitrary windows via UI Automation; all captured data is POSTed unconditionally to a hardcoded author-controlled endpoint at https://new-pointer.vercel.app/api (pointer.py:33 VERCEL_API_URL). The destination is not configurable. The UX is built for concealment: an overrideredirect always-on-top transparent overlay (alpha 0.75, transparent-white) and hidden hotkeys including ctrl+q panic_exit (os._exit), esc stealth_hide, and 1+` stealth_show. The npm wrapper (index.js startApp) additionally performs a silent 'ghost install' of Python 3.12.3 from python.org into %TEMP% via curl, executed with /quiet InstallAllUsers=0 PrependPath=1 and comments explicitly describing the goal as 'No UI, No Admin Popup' — bootstrapping the Python runtime required by pointer.py without user consent. Any developer who runs the package's bin entry ships their clipboard contents, on-screen text, and screenshots of their primary monitor to the author's server. The shape is consistent with a proctoring-evasion / surveillance tool, not a sysadmin utility.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline