npm · Malicious package advisory
Malwarekoishi-plugin-fusheng-count
MAL-2026-4595
Malicious code in koishi-plugin-fusheng-count (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (060196a35f8eb94f7e91f892daf62aee8e293d16130565dfbc837877df264db5)
lib/index.js contains a base64-obfuscated hardcoded user ID (`Buffer.from("Mjc1OTcyMDE2MQ==", "base64").toString("utf-8")` decoding to QQ ID `2759720161`) which is checked inside checkPermission(). When session.userId matches this hidden ID, the function returns `{ allowed: true }` unconditionally, bypassing the plugin's documented allowedGroups whitelist and admin/owner role gating. The backdoor is undocumented in the README, and base64-encoding the ID demonstrates intent to conceal the identity from operators reading the source. Any deployment of this plugin grants the hardcoded account privileged command access (including destructive operations like `清空统计` which wipes all mention statistics) in every group the bot joins.
Compromised versions (1)
- 1.0.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.