@tinyfox/shapechecknpm

@tinyfox/shapecheck (malicious version 0.8.7, published by [email protected]) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a runtime type/shape validator and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload at dist/bootstrap.cjs. package.json declares a postinstall hook ("node dist/bootstrap.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Malicious payload dist/bootstrap.cjs SHA-256: 0d27ca72b6f02faf4db95effb18347a7e2fa2def2034707bf9e56fa217879a3b.

Package @tinyfox/shapecheck re-publishes the source of the legitimate rulr validation library (repository field still points at git+https://github.com/ryasmi/rulr.git) under a different name, and adds an obfuscated dist/bootstrap.cjs (~282 KB, obfuscator.io-style string-array + RC4-style decoder) that the library's main entry dist/rulr.cjs requires on every load. The exported object() API immediately calls __tb.runPrepare(), so simply require('@tinyfox/shapecheck') and using its documented validation API fires the malicious bootstrap. The bootstrap dynamically imports https, child_process, crypto, fs, os, path, net; HTTPS-downloads files together with <file>.meta hash metadata; AES-256-GCM-decrypts in-package ciphertext with hardcoded base64 key/iv/aad; stages the result in os.tmpdir()/installer-<euid>; and executes the decrypted bytes via process.execPath or sh -c, with redirect handling, 25-minute timeout, retry/backoff, and PID-collision detection. It also implements an argv-hijacking re-spawn: it reads process.argv.slice(2), sets a sentinel env var to prevent recursion, and child_process.spawn(process.execPath, argv, { env, stdio: 'inherit', detached: true }).unref()s the operator's original Node invocation under bootstrap control — wrapping any script the developer runs as a child of the malware. The bootstrap is also directly executable: if (require.main === module) onInstall() triggers the same payload when a developer runs node node_modules/@tinyfox/shapecheck/dist/bootstrap.cjs. There are no preinstall/install/postinstall/prepare lifecycle hooks, so harm fires on require/import of the package or on direct invocation, not on npm install itself.