MAL-2026-10189

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinymask-js/MAL-2026-10189.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10189
Published
2026-07-11T23:23:11Z
Modified
2026-07-12T00:01:52.075758847Z
Summary
Malicious code in tinymask-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604)

index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604",
            "id": "IN-MAL-2026-009744",
            "modified_time": "2026-07-11T23:23:11Z",
            "versions": [
                "1.0.2"
            ],
            "import_time": "2026-07-11T23:49:33.958674776Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / tinymask-js

Package

Affected ranges

Affected versions

1.*
1.0.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "0151029331e5606c4b3bd0ee190b9526955a8a02335de4d0fb9c4e586fc26b4b5f16cc",
            "sha256": "4d92810e005718d52f876601c1910905092974ac2adb35f17ef23732915341f1",
            "path": "index.js"
        },
        {
            "sha256": "b5b92228ed6bd32dfc935eb2858e3b1eb8b0bd393d6719a89e78424e6e4b25c2",
            "tlsh": "cec012244512792320c51bd08ce58e4796521e3f5148781d53d3103c81de6af14ff23f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "tinymask-js-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-3Js9ZugHE3tA61yNNVMr0n2cZb23Gdft9bViExM/BU2EaFoH8jbVUgBSrs9RsKq8ht1YIZHKhk4eBqn6c3DQRg==",
                "sha1": "5bd023bac45804f8ce26949a293cdec5cc85742b"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinymask-js/MAL-2026-10189.json"