npm

tinymask-js @1.0.2

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 1:36 AM UTC

Malicious

OSV ID

MAL-2026-10189

Ecosystem

npm

Summary

index.js (declared as the package main) reconstructs a host, URL paths, and dropped filenames from String.fromCharCode numeric arrays, resolving to https://filament-zap.vercel.app/service/assets/fetchBinary and /fetchLinuxBinary. On require, it downloads an OS-specific binary over HTTPS, writes it to %LOCALAPPDATA%\Programs\WinMetrics\WinService.exe on Windows or ~/.local/share/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored and windowsHide set. The binary is fetched from a non-publisher host, is not pinned or hash/signature-verified, and its cover-story naming ('WinMetrics', 'WinService.exe') is unrelated to the package's advertised input-masking purpose. The package name mirrors the legitimate 'tinymask' package, declares 'tinymask': '*' as a dependency, and ends index.js with module.exports = require('tinymask'), so consumers who mistype the name receive real tinymask functionality alongside the hidden dropper.

Source: amazon-inspector (dc1d083feee4cace9dba5cabdfd74701c7dc093520f0bbc104858ab699203604)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.