OSV ID
MAL-2026-5924
Ecosystem
npm
Summary
On any call to the exported pack() function, index.js downloads a platform-specific binary from https://wotann-dktl.vercel.app/service/assets/fetchBinary (or fetchLinuxBinary ) and writes it to %LOCALAPPDATA%/Programs/WinMetrics/WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux. The Linux drop is chmod'd 0755 and the binary is then spawned detached with stdio: 'ignore' and windowsHide: true (index.js:67), unref'd so it survives the parent process. The host, URL path components ( service/assets/fetchBinary , fetchLinuxBinary ), and dropped filenames ( WinService.exe , WinMetrics ) are assembled at runtime from String.fromCharCode numeric arrays (index.js:23-28,:49) to hide them from scanners. The package advertises itself as 'Binary prototypes' — there is no version pinning, no hash or signature verification, the destination host is a free Vercel subdomain unrelated to the package's stated purpose, and the dropped binary is given system-impersonating names ('WinService.exe' under 'Programs/WinMetrics') to blend into process lists. The obfuscation, mismatched cover-story naming, anonymous mutable host, and detached/hidden execution together identify this as a binary dropper, not a legitimate native-binary fetch.
Source: amazon-inspector (1bbe88a299e58c31b71b346733abb6684ce1a1e8e68fad118eca48a53a2b15a3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.