{"id":"MAL-2026-5924","summary":"Malicious code in binproto (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3)\nOn any call to the exported `pack()` function, index.js downloads a platform-specific binary from `https://wotann-dktl.vercel.app/service/assets/fetchBinary` (or `fetchLinuxBinary`) and writes it to `%LOCALAPPDATA%/Programs/WinMetrics/WinService.exe` on Windows or `~/.local/share/WinMetrics/WinMetrics` on Linux. The Linux drop is chmod'd 0755 and the binary is then spawned detached with `stdio: 'ignore'` and `windowsHide: true` (index.js:67), unref'd so it survives the parent process. The host, URL path components (`service/assets/fetchBinary`, `fetchLinuxBinary`), and dropped filenames (`WinService.exe`, `WinMetrics`) are assembled at runtime from `String.fromCharCode` numeric arrays (index.js:23-28,:49) to hide them from scanners. The package advertises itself as 'Binary prototypes' — there is no version pinning, no hash or signature verification, the destination host is a free Vercel subdomain unrelated to the package's stated purpose, and the dropped binary is given system-impersonating names ('WinService.exe' under 'Programs/WinMetrics') to blend into process lists. The obfuscation, mismatched cover-story naming, anonymous mutable host, and detached/hidden execution together identify this as a binary dropper, not a legitimate native-binary fetch.\n","modified":"2026-06-16T21:16:46.722372587Z","published":"2026-06-16T19:56:34Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-16T21:06:47.021150359Z","sha256":"1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3","versions":["1.0.7"],"id":"IN-MAL-2026-006828","modified_time":"2026-06-16T19:56:34Z","source":"amazon-inspector"},{"modified_time":"2026-06-16T19:56:36Z","sha256":"472099c9263e5c2592d818a4068a978079a3f77a26edcf855cb19e06947d7aee","versions":["1.0.5"],"id":"IN-MAL-2026-006829","import_time":"2026-06-16T21:06:47.170738107Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/binproto/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/binproto/v/1.0.5"}],"affected":[{"package":{"name":"binproto","ecosystem":"npm","purl":"pkg:npm/binproto"},"versions":["1.0.7","1.0.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/binproto/MAL-2026-5924.json","indicators":{"package_integrity":[{"filename":"binproto-1.0.7.tgz","hashes":{"sha1":"b913145c9ab299e1daf0a3279e2b6fe92d977d6b","sha512_sri":"sha512-49LiBMViulpEEYjZyzUVy+NPm7L8phk4xKQhuuslQMfz5c2eIzMLufO1w64B21DVC4Wr5dEf62N53OeERpyD1A=="}}],"evidence_files":[{"path":"index.js","sha256":"779efb0fe92699569b851ff5429e07c96c76a9801b0ff01c5ae040945bec1d95","tlsh":"01a1764376e1703c0723e4ed56a6d81ba15e8902334ce4e0fa9d4d049fc26a4daf5acc"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}