-= Per source details. Do not edit below this line.=-
index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.
{
"malicious-packages-origins": [
{
"sha256": "dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604",
"id": "IN-MAL-2026-009744",
"modified_time": "2026-07-11T23:23:11Z",
"versions": [
"1.0.2"
],
"import_time": "2026-07-11T23:49:33.958674776Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "0151029331e5606c4b3bd0ee190b9526955a8a02335de4d0fb9c4e586fc26b4b5f16cc",
"sha256": "4d92810e005718d52f876601c1910905092974ac2adb35f17ef23732915341f1",
"path": "index.js"
},
{
"sha256": "b5b92228ed6bd32dfc935eb2858e3b1eb8b0bd393d6719a89e78424e6e4b25c2",
"tlsh": "cec012244512792320c51bd08ce58e4796521e3f5148781d53d3103c81de6af14ff23f",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "tinymask-js-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-3Js9ZugHE3tA61yNNVMr0n2cZb23Gdft9bViExM/BU2EaFoH8jbVUgBSrs9RsKq8ht1YIZHKhk4eBqn6c3DQRg==",
"sha1": "5bd023bac45804f8ce26949a293cdec5cc85742b"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinymask-js/MAL-2026-10189.json"