{"id":"MAL-2026-10189","summary":"Malicious code in tinymask-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604)\nindex.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\\Programs\\WinMetrics\\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.\n","modified":"2026-07-12T00:01:52.075758847Z","published":"2026-07-11T23:23:11Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-11T23:23:11Z","sha256":"dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604","source":"amazon-inspector","versions":["1.0.2"],"id":"IN-MAL-2026-009744","import_time":"2026-07-11T23:49:33.958674776Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tinymask-js/v/1.0.2"}],"affected":[{"package":{"name":"tinymask-js","ecosystem":"npm","purl":"pkg:npm/tinymask-js"},"versions":["1.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"0151029331e5606c4b3bd0ee190b9526955a8a02335de4d0fb9c4e586fc26b4b5f16cc","path":"index.js","sha256":"4d92810e005718d52f876601c1910905092974ac2adb35f17ef23732915341f1"},{"sha256":"b5b92228ed6bd32dfc935eb2858e3b1eb8b0bd393d6719a89e78424e6e4b25c2","tlsh":"cec012244512792320c51bd08ce58e4796521e3f5148781d53d3103c81de6af14ff23f","path":"package.json"}],"package_integrity":[{"filename":"tinymask-js-1.0.2.tgz","hashes":{"sha1":"5bd023bac45804f8ce26949a293cdec5cc85742b","sha512_sri":"sha512-3Js9ZugHE3tA61yNNVMr0n2cZb23Gdft9bViExM/BU2EaFoH8jbVUgBSrs9RsKq8ht1YIZHKhk4eBqn6c3DQRg=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinymask-js/MAL-2026-10189.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}