VDB
KO

MAL-2026-10190

Malicious code in tinyparrot (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9) The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned by the attacker-controlled server run on the installer's machine at 'npm install' time. Errors are swallowed by try/catch to hide failures. The URL, HTTP method, and required module name are all hidden behind numeric-literal decoders to evade static inspection.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tinyparrot

No fixed version published yet for tinyparrot (npm). Pin to a known-safe version or switch to an alternative.

References