VDB
KO

MAL-2026-10189

Malicious code in tinymask-js (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604) index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tinymask-js

No fixed version published yet for tinymask-js (npm). Pin to a known-safe version or switch to an alternative.

References