Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in tinymask-js (npm)

tinymask-js

Risk score

92

AI summary

Indexed incident for tinymask-js (npm).

Description

index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.

Technical details

Affected versions

=1.0.2

Indicators

  • affected version=1.0.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents