sysbunpm

Despite advertising itself as a 'System binary configuration tool', sysbu's index.js unconditionally invokes startApp() on require/CLI execution. If Python is not present, it silently installs Python 3.12 — first via winget install Python.Python.3.12, falling back to downloading https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe to %TEMP% and running it with /quiet InstallAllUsers=0 PrependPath=1. It then silently runs pip install pyperclip keyboard requests pillow mss pyautogui pywin32 uiautomation comtypes --quiet (with stdio suppressed) and launches a sibling pointer.py. pointer.py creates a hidden topmost transparent Tk overlay, polls pyperclip.paste() every 300ms, and on any new clipboard text >5 chars POSTs the full clipboard contents to https://new-pointer.vercel.app/api. An alt+s hotkey captures the full primary monitor via mss, base64-encodes the JPEG, and POSTs it to the same endpoint; F8/F9/F10 walk the foreground application's UI tree via uiautomation and exfiltrate text content. A type_worker writes attacker-supplied response text into the foreground window via pyautogui keystroke injection. ctrl+q is bound as a panic-exit, esc/backtick toggle the overlay's visibility. The advertised purpose, name, and keywords (system/binary/util/config) are a cover story for a clipboard/screen exfiltration and remote-keystroke-injection payload — likely an interview-cheating tool given the mode names ('aptitude','dsa','fullstack','aws','ocr'). Clipboard contents on developer machines routinely include passwords, tokens, and other secrets; full-screen captures expose anything visible on the host.