malware
npm
@tinyfox/shapecheck
discovered 2026-06-23Campaign member, masquerades as a runtime type/shape validator (ships a genuine validator as decoy). Version 0.8.7 ships a 282KB obfuscated downloader payload (dist/bootstrap.cjs) auto-executed via postinstall 'node dist/bootstrap.cjs'. Amazon Inspector's fuller enumeration lists 0.7.4 and 0.8.5-0.8.8 as malicious. Same obfuscator template as the root lineage; build cluster C (_0x175f / __38CC632841_TAG). Downloader -> Rust infostealer chain per Amazon Inspector.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 0.7.4
- 0.8.5
- 0.8.6
- 0.8.7 · 7334fe7a87b2c96c…
- 0.8.8