MAL-2026-6312

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@tinyfox/shapecheck/MAL-2026-6312.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6312

Published

2026-06-22T12:00:00Z

Modified

2026-06-23T19:46:25.980037070Z

Summary

Malicious code in @tinyfox/shapecheck (npm)

Details

@tinyfox/shapecheck (malicious version 0.8.7, published by tinyfox-yjwiqz@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a runtime type/shape validator and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload at dist/bootstrap.cjs. package.json declares a postinstall hook ("node dist/bootstrap.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/bootstrap.cjs SHA-256: 0d27ca72b6f02faf4db95effb18347a7e2fa2def2034707bf9e56fa217879a3b.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ccad6ae47c18b5b41d16625a00ce1b493fc44d7e22658d549ff709d6df297b70)

Package @tinyfox/shapecheck re-publishes the source of the legitimate rulr validation library (repository field still points at git+https://github.com/ryasmi/rulr.git) under a different name, and adds an obfuscated dist/bootstrap.cjs (~282 KB, obfuscator.io-style string-array + RC4-style decoder) that the library's main entry dist/rulr.cjs requires on every load. The exported object() API immediately calls __tb.runPrepare(), so simply require('@tinyfox/shapecheck') and using its documented validation API fires the malicious bootstrap. The bootstrap dynamically imports https, child_process, crypto, fs, os, path, net; HTTPS-downloads files together with <file>.meta hash metadata; AES-256-GCM-decrypts in-package ciphertext with hardcoded base64 key/iv/aad; stages the result in os.tmpdir()/installer-<euid>; and executes the decrypted bytes via process.execPath or sh -c, with redirect handling, 25-minute timeout, retry/backoff, and PID-collision detection. It also implements an argv-hijacking re-spawn: it reads process.argv.slice(2), sets a sentinel env var to prevent recursion, and child_process.spawn(process.execPath, argv, { env, stdio: 'inherit', detached: true }).unref()s the operator's original Node invocation under bootstrap control — wrapping any script the developer runs as a child of the malware. The bootstrap is also directly executable: if (require.main === module) onInstall() triggers the same payload when a developer runs node node_modules/@tinyfox/shapecheck/dist/bootstrap.cjs. There are no preinstall/install/postinstall/prepare lifecycle hooks, so harm fires on require/import of the package or on direct invocation, not on npm install itself.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "72ee3049c29e3c457454a0dd3b3e188ff8e3aa4e5e2bfa43b31b1251c9b32f21",
            "import_time": "2026-06-23T16:54:17.383392376Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:23:01Z",
            "versions": [
                "0.8.5"
            ],
            "id": "IN-MAL-2026-007318"
        },
        {
            "sha256": "84cc10505ea4a998b453bc9ddb1aa166170515fb5fca398191d687896fd8abc7",
            "id": "IN-MAL-2026-007311",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:54Z",
            "versions": [
                "0.8.6"
            ],
            "import_time": "2026-06-23T16:54:16.894542986Z"
        },
        {
            "sha256": "a833d66c025b4cad42e5b7a2411fbdffb09c41c82d82bc90bae077cdb36e6767",
            "import_time": "2026-06-23T16:54:16.50770449Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:49Z",
            "versions": [
                "0.8.7"
            ],
            "id": "IN-MAL-2026-007306"
        },
        {
            "sha256": "ccad6ae47c18b5b41d16625a00ce1b493fc44d7e22658d549ff709d6df297b70",
            "id": "IN-MAL-2026-007310",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:54Z",
            "versions": [
                "0.8.8"
            ],
            "import_time": "2026-06-23T16:54:16.842055705Z"
        },
        {
            "sha256": "db836dd464bb496bf919568c0a9a01d02bea880b6993e0145b53fd889574454e",
            "import_time": "2026-06-23T16:54:16.947057056Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:55Z",
            "versions": [
                "0.7.4"
            ],
            "id": "IN-MAL-2026-007312"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @tinyfox/shapecheck

Package

Name: @tinyfox/shapecheck; View open source insights on deps.dev
Purl: pkg:npm/%40tinyfox%2Fshapecheck

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.4

0.8.5

0.8.6

0.8.7

0.8.8

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@tinyfox/shapecheck/MAL-2026-6312.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "ffe0dfce38fe68706b18432a66469c8779a028591301a02043c1cbe9274842a57a2caf",
            "sha256": "1b80c5775508dcb5c44ef64f199dfe6823ef26e0b98d73b5ef074aedbe7e056c",
            "path": "dist/bootstrap.cjs"
        },
        {
            "sha256": "f295268d6a5b025838170034813270e4123f24129e3600552815a2bd998ff7c1",
            "tlsh": "9b215769c8744d631dcc29e56caa0547b660080baa64bd0933c6416c6f4d27f62ff2bd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "shapecheck-0.8.5.tgz",
            "hashes": {
                "sha1": "f331efc313573a063568f3f895dd792c046038cd",
                "sha512_sri": "sha512-pSQRP0N3yn0F7ubM8GrNZ3p7uAHNRX0Gnmut+aQ/XSjpmsaBn4Jc9Nx5kMOBodqEwvblWefOXblI9EVReplIFg=="
            }
        }
    ]
}