VYPR

npm · Malicious package advisory

Malware

koishi-plugin-fusheng-car

MAL-2026-4594

Malicious code in koishi-plugin-fusheng-car (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (35bbb2f7cdae32f1a5012363b81298fd339c96b83718db535d77c0bdc0f936ec)
lib/index.js contains a hardcoded base64-encoded QQ user ID ('Mjc1OTcyMDE2MQ==' decoding to '2759720161') checked inside the plugin's permission gate. When that ID matches the calling user, the function returns true and bypasses the operator's configured admin list and group-role checks, granting that account full control of the plugin's countdown task commands (start/stop/pause) on any bot that installs this plugin. The base64 wrapping has no functional purpose other than concealing the ID from casual review of the source. The plugin operator has not consented to a third party having admin-level authority over their bot, and the obfuscation indicates the author intended to hide the bypass.

Compromised versions (1)

  • 1.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.