malware npm

@tinyfox/shapecheck

discovered 2026-06-23

Campaign member, masquerades as a runtime type/shape validator (ships a genuine validator as decoy). Version 0.8.7 ships a 282KB obfuscated downloader payload (dist/bootstrap.cjs) auto-executed via postinstall 'node dist/bootstrap.cjs'. Amazon Inspector's fuller enumeration lists 0.7.4 and 0.8.5-0.8.8 as malicious. Same obfuscator template as the root lineage; build cluster C (_0x175f / __38CC632841_TAG). Downloader -> Rust infostealer chain per Amazon Inspector.

Threat types

credential_stealer data_exfiltration persistence typosquat

Malicious versions

  • 0.7.4
  • 0.8.5
  • 0.8.6
  • 0.8.7 · 7334fe7a87b2c96c…
  • 0.8.8

Campaigns

Indicators

Techniques

Read the full analysis →