MAL-2026-10163

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/llama-tokenizer/MAL-2026-10163.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10163
Published
2026-07-10T17:50:28Z
Modified
2026-07-10T18:16:49.951016844Z
Summary
Malicious code in llama-tokenizer (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b22305b1026f27be6d5b78dc19f7db7a05cc9d1818b7ebc7cda0fce92431aa02)

This package typosquats llama-tokenizer-js. On require, index.js reconstructs a host and URL path from String.fromCharCode numeric arrays, downloads a platform-specific binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to %LOCALAPPDATA%/Programs/WinMetrics/WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored. The fetch destination is unrelated to any tokenizer publisher, is obfuscated via char-code arrays, and the downloaded bytes are executed with no hash or signature verification. index.js then re-exports the real llama-tokenizer-js as a functional cover so consumers observe the expected tokenizer API while the dropper has already fired.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "b22305b1026f27be6d5b78dc19f7db7a05cc9d1818b7ebc7cda0fce92431aa02",
            "id": "IN-MAL-2026-009690",
            "import_time": "2026-07-10T18:05:59.686576007Z",
            "modified_time": "2026-07-10T17:50:28Z",
            "versions": [
                "1.2.2"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / llama-tokenizer

Package

Affected ranges

Affected versions

1.*
1.2.2

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "914f69aba38d297e899de806f15abc5f6110cadd0bae2d0f4414b70135faca71",
            "tlsh": "7451219331e1606c0b3bd4ee1a0b9526955a8a02335de4d0fb9c8e586fc26a4b5b16cc",
            "path": "index.js"
        },
        {
            "sha256": "e9fd9a359ca9ff8ab43fddbbb874b7b61b9d2e100d80bf337793f4ec7f8415ad",
            "tlsh": "16d0a9988466252300c4bf98a8720e429a820f3b90487c08038be028dcd83ef0dff30e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "llama-tokenizer-1.2.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-JAAU1Pk18MDt5atGmLq8wKGSkiPx3vT6X8tfu/L7iK1b9fHsklrEW2I+IZOst/TCMY7RiybHTIpCsmTeoq7ClQ==",
                "sha1": "e06cd5992431a41543c12c138a0447f365d59ecc"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/llama-tokenizer/MAL-2026-10163.json"