{"id":"MAL-2026-10190","summary":"Malicious code in tinyparrot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9)\nThe postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned by the attacker-controlled server run on the installer's machine at 'npm install' time. Errors are swallowed by try/catch to hide failures. The URL, HTTP method, and required module name are all hidden behind numeric-literal decoders to evade static inspection.\n","modified":"2026-07-12T00:01:52.099862224Z","published":"2026-07-11T23:20:47Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009742","sha256":"ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9","modified_time":"2026-07-11T23:20:47Z","import_time":"2026-07-11T23:49:33.756334608Z","source":"amazon-inspector","versions":["0.4.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/tinyparrot/v/0.4.1"}],"affected":[{"package":{"name":"tinyparrot","ecosystem":"npm","purl":"pkg:npm/tinyparrot"},"versions":["0.4.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinyparrot/MAL-2026-10190.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"f093f558b779564b9b465280504af2a4f537e8e54954041f56be519212338751","path":"src/tools.js","tlsh":"ecd02bf1819632f1ed508bf5ea210aa1a4f7c731b208c1d1328c918f17570184336865"},{"path":"src/const.js","sha256":"4b7a17a6676b134f258d4a13b17d2b596594cdaf1ae511958b1a7cd7b11a5e66","tlsh":"0521368166ce745254f34397f1d7548deda993102307b4cabcf484ab0f442984453fe2"}],"package_integrity":[{"filename":"tinyparrot-0.4.1.tgz","hashes":{"sha512_sri":"sha512-YtjPxHIMCrFWFIS9AheY6qnJN2bD7a+7qiK00hmnqAtJaV6lx3jzecrFMvON+BzGGTseTIkwFy52WJYUCKyXwg==","sha1":"4fba43af242f4d0772e3e58b34d2ecd494e5ecf6"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}