MAL-2026-10190: Malicious code in tinyparrot (npm)
The tinyparrot npm package version 0.4.1 contains malicious code that executes arbitrary shell commands during installation. This occurs because the postinstall script reconstructs a hidden URL and sends an HTTPS POST request to an attacker-controlled server. The server's response header is then executed as a shell command on the installer's machine. The malicious behavior is obfuscated using numeric-literal decoders to evade detection. This results in remote code execution at install time without user awareness.
AI Analysis
Technical Summary
The tinyparrot package version 0.4.1 includes a postinstall script (src/build.js) that reconstructs strings such as 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays using base decoders in src/const.js and src/helpers.js. It dynamically requires a resolved module and sends an HTTPS POST request to the attacker-controlled URL. The response header 'm' from this request is passed directly to child_process.execSync, allowing arbitrary shell commands from the attacker to execute on the victim's machine during 'npm install'. Errors are caught and suppressed to avoid detection. The obfuscation of the URL, HTTP method, and module name via numeric decoders is intended to evade static analysis.
Potential Impact
This vulnerability enables remote code execution on any system that installs tinyparrot version 0.4.1 via npm. The attacker can run arbitrary shell commands with the privileges of the user performing the installation, potentially leading to full system compromise, data theft, or further malware deployment. The malicious code executes silently during installation, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or remediation is currently available for tinyparrot version 0.4.1. Users should avoid installing this package version. Verify the integrity and source of npm packages before installation. Consider using package auditing tools to detect malicious code. Monitor vendor advisories for updates or fixes. Since this is not a cloud service, remediation depends on users avoiding or removing the affected package.
MAL-2026-10190: Malicious code in tinyparrot (npm)
Description
The tinyparrot npm package version 0.4.1 contains malicious code that executes arbitrary shell commands during installation. This occurs because the postinstall script reconstructs a hidden URL and sends an HTTPS POST request to an attacker-controlled server. The server's response header is then executed as a shell command on the installer's machine. The malicious behavior is obfuscated using numeric-literal decoders to evade detection. This results in remote code execution at install time without user awareness.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The tinyparrot package version 0.4.1 includes a postinstall script (src/build.js) that reconstructs strings such as 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays using base decoders in src/const.js and src/helpers.js. It dynamically requires a resolved module and sends an HTTPS POST request to the attacker-controlled URL. The response header 'm' from this request is passed directly to child_process.execSync, allowing arbitrary shell commands from the attacker to execute on the victim's machine during 'npm install'. Errors are caught and suppressed to avoid detection. The obfuscation of the URL, HTTP method, and module name via numeric decoders is intended to evade static analysis.
Potential Impact
This vulnerability enables remote code execution on any system that installs tinyparrot version 0.4.1 via npm. The attacker can run arbitrary shell commands with the privileges of the user performing the installation, potentially leading to full system compromise, data theft, or further malware deployment. The malicious code executes silently during installation, increasing the risk of unnoticed compromise.
Mitigation Recommendations
No official patch or remediation is currently available for tinyparrot version 0.4.1. Users should avoid installing this package version. Verify the integrity and source of npm packages before installation. Consider using package auditing tools to detect malicious code. Monitor vendor advisories for updates or fixes. Since this is not a cloud service, remediation depends on users avoiding or removing the affected package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10190
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a535bfc68715ace43ad513b
Added to database: 07/12/2026, 09:18:52 UTC
Last enriched: 07/12/2026, 09:21:17 UTC
Last updated: 07/13/2026, 03:04:35 UTC
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.