OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10163 confirms this npm version as malicious. This package typosquats llama-tokenizer-js. On require, index.js reconstructs a host and URL path from String.fromCharCode numeric arrays, downloads a platform-specific binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to %LOCALAPPDATA%/Programs/WinMetrics/WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux,...
Advisory
MAL-2026-10163
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in llama-tokenizer (npm)
Details
This package typosquats llama-tokenizer-js. On require, index.js reconstructs a host and URL path from String.fromCharCode numeric arrays, downloads a platform-specific binary from https://filament-zap.vercel.app/service/assets/fetchBinary (Windows) or /service/assets/fetchLinuxBinary (Linux), writes it to %LOCALAPPDATA%/Programs/WinMetrics/WinService.exe on Windows or ~/.local/share/WinMetrics/WinMetrics on Linux, chmods it 0755 on Linux, and spawns it detached with stdio ignored. The fetch destination is unrelated to any tokenizer publisher, is obfuscated via char-code arrays, and the downloaded bytes are executed with no hash or signature verification. index.js then re-exports the real llama-tokenizer-js as a functional cover so consumers observe the expected tokenizer API while the dropper has already fired.
Decision reason
OpenSSF Malicious Packages via OSV confirms llama-tokenizer@1.2.2 as malicious (MAL-2026-10163): Malicious code in llama-tokenizer (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory