registry  /  tinyparrot  /  0.4.1

tinyparrot@0.4.1

tinyparrot: autoprefix + minify + dedupe + optional purge

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10190 confirms this npm version as malicious. The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned...

Advisory
MAL-2026-10190
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in tinyparrot (npm)
Details
The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays via base-decoders in src/const.js and src/helpers.js, then dynamically requires the resolved module and issues an HTTPS POST to https://rnjkerbf.org/P. The value of the response header 'm' is passed directly to child_process.execSync, so arbitrary shell commands returned by the attacker-controlled server run on the installer's machine at 'npm install' time. Errors are swallowed by try/catch to hide failures. The URL, HTTP method, and required module name are all hidden behind numeric-literal decoders to evade static inspection.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessDynamicRequireFilesystem
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 5.93 KB of source

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node ./src/build.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
src/tools.jsView file
1const {execSync} = require("child_process"); L2: const {reader, hash, meta} = require("./const.js");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

src/tools.jsView on unpkg · L1

Findings

1 High2 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumDynamic Requiresrc/tools.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem