MAL-2026-5924

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/binproto/MAL-2026-5924.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5924

Published

2026-06-16T19:56:34Z

Modified

2026-06-16T21:16:46.722372587Z

Summary

Malicious code in binproto (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3)

On any call to the exported pack() function, index.js downloads a platform-specific binary from https://wotann-dktl.vercel.app/service/assets/fetchBinary (or fetchLinuxBinary) and writes it to %LOCALAPPDATA%/Programs/WinMetrics/WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux. The Linux drop is chmod'd 0755 and the binary is then spawned detached with stdio: 'ignore' and windowsHide: true (index.js:67), unref'd so it survives the parent process. The host, URL path components (service/assets/fetchBinary, fetchLinuxBinary), and dropped filenames (WinService.exe, WinMetrics) are assembled at runtime from String.fromCharCode numeric arrays (index.js:23-28,:49) to hide them from scanners. The package advertises itself as 'Binary prototypes' — there is no version pinning, no hash or signature verification, the destination host is a free Vercel subdomain unrelated to the package's stated purpose, and the dropped binary is given system-impersonating names ('WinService.exe' under 'Programs/WinMetrics') to blend into process lists. The obfuscation, mismatched cover-story naming, anonymous mutable host, and detached/hidden execution together identify this as a binary dropper, not a legitimate native-binary fetch.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3",
            "id": "IN-MAL-2026-006828",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:56:34Z",
            "versions": [
                "1.0.7"
            ],
            "import_time": "2026-06-16T21:06:47.021150359Z"
        },
        {
            "sha256": "472099c9263e5c2592d818a4068a978079a3f77a26edcf855cb19e06947d7aee",
            "import_time": "2026-06-16T21:06:47.170738107Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:56:36Z",
            "versions": [
                "1.0.5"
            ],
            "id": "IN-MAL-2026-006829"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / binproto

Package

Name: binproto; View open source insights on deps.dev
Purl: pkg:npm/binproto

Affected ranges

Affected versions

1.*

1.0.5

1.0.7

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/binproto/MAL-2026-5924.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "779efb0fe92699569b851ff5429e07c96c76a9801b0ff01c5ae040945bec1d95",
            "tlsh": "01a1764376e1703c0723e4ed56a6d81ba15e8902334ce4e0fa9d4d049fc26a4daf5acc",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "binproto-1.0.7.tgz",
            "hashes": {
                "sha1": "b913145c9ab299e1daf0a3279e2b6fe92d977d6b",
                "sha512_sri": "sha512-49LiBMViulpEEYjZyzUVy+NPm7L8phk4xKQhuuslQMfz5c2eIzMLufO1w64B21DVC4Wr5dEf62N53OeERpyD1A=="
            }
        }
    ]
}