MAL-2026-10190

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinyparrot/MAL-2026-10190.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10190
Published
2026-07-11T23:20:47Z
Modified
2026-07-12T00:01:52.099862224Z
Summary
Malicious code in tinyparrot (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9)

The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned by the attacker-controlled server run on the installer's machine at 'npm install' time. Errors are swallowed by try/catch to hide failures. The URL, HTTP method, and required module name are all hidden behind numeric-literal decoders to evade static inspection.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.4.1"
            ],
            "id": "IN-MAL-2026-009742",
            "import_time": "2026-07-11T23:49:33.756334608Z",
            "modified_time": "2026-07-11T23:20:47Z",
            "sha256": "ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / tinyparrot

Package

Affected ranges

Affected versions

0.*
0.4.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "f093f558b779564b9b465280504af2a4f537e8e54954041f56be519212338751",
            "tlsh": "ecd02bf1819632f1ed508bf5ea210aa1a4f7c731b208c1d1328c918f17570184336865",
            "path": "src/tools.js"
        },
        {
            "sha256": "4b7a17a6676b134f258d4a13b17d2b596594cdaf1ae511958b1a7cd7b11a5e66",
            "tlsh": "0521368166ce745254f34397f1d7548deda993102307b4cabcf484ab0f442984453fe2",
            "path": "src/const.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "tinyparrot-0.4.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-YtjPxHIMCrFWFIS9AheY6qnJN2bD7a+7qiK00hmnqAtJaV6lx3jzecrFMvON+BzGGTseTIkwFy52WJYUCKyXwg==",
                "sha1": "4fba43af242f4d0772e3e58b34d2ecd494e5ecf6"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/tinyparrot/MAL-2026-10190.json"