MAL-2026-10189
Malicious code in tinymask-js (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604) index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for tinymask-js (npm). Pin to a known-safe version or switch to an alternative.