-= Per source details. Do not edit below this line.=-
The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned by the attacker-controlled server run on the installer's machine at 'npm install' time. Errors are swallowed by try/catch to hide failures. The URL, HTTP method, and required module name are all hidden behind numeric-literal decoders to evade static inspection.
{
"malicious-packages-origins": [
{
"versions": [
"0.4.1"
],
"id": "IN-MAL-2026-009742",
"import_time": "2026-07-11T23:49:33.756334608Z",
"modified_time": "2026-07-11T23:20:47Z",
"sha256": "ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "f093f558b779564b9b465280504af2a4f537e8e54954041f56be519212338751",
"tlsh": "ecd02bf1819632f1ed508bf5ea210aa1a4f7c731b208c1d1328c918f17570184336865",
"path": "src/tools.js"
},
{
"sha256": "4b7a17a6676b134f258d4a13b17d2b596594cdaf1ae511958b1a7cd7b11a5e66",
"tlsh": "0521368166ce745254f34397f1d7548deda993102307b4cabcf484ab0f442984453fe2",
"path": "src/const.js"
}
],
"package_integrity": [
{
"filename": "tinyparrot-0.4.1.tgz",
"hashes": {
"sha512_sri": "sha512-YtjPxHIMCrFWFIS9AheY6qnJN2bD7a+7qiK00hmnqAtJaV6lx3jzecrFMvON+BzGGTseTIkwFy52WJYUCKyXwg==",
"sha1": "4fba43af242f4d0772e3e58b34d2ecd494e5ecf6"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinyparrot/MAL-2026-10190.json"