MAL-2026-4482
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f)
package.json declares "preinstall": "./vendor/setup", which runs a 976,568-byte Linux ELF binary on every npm install. The package's stated purpose is a small React/Next.js Arweave routing helper (dist/esm/index.js) — there is no documented or structural reason for it to ship or execute a native binary. The binary is packed/obfuscated (mostly non-printable string output, no README or docs explaining its role) and is invoked solely from the install lifecycle hook, with no source, build script, or hash verification accompanying it. Extracted strings include LIBBPF_0.0, ~PTRACE, /proc references, USERPROFILE, https://, HTTP/1.1, GitHub API version 2022-11-28, Ed25519, RSA_PKCS1_, and POST/DELETE verbs — fingerprints consistent with a credential-harvesting / GitHub-API-abusing payload with anti-debug instrumentation. The binary is not version-pinned to any publisher release, not hash-verified, and the package's advertised purpose is unrelated to any of the binary's apparent capabilities. This matches the opaque-native-binary-with-doc-mismatch and generic-binary-runner-dropper attack patterns: arbitrary attacker-controlled native code executes on every installer's machine without consent or inspectability.
Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "package.json",
"sha256": "6b6bc1dd0c2c38529991a2d2c45e4ada688fde2958577cdf62f4fedf7cfc4119",
"tlsh": "d511ba35c8a08da328d126ac943a0383e9b19497a554ed4933dd610c4f0e2af21bf7e8"
},
{
"path": "vendor/setup",
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
}
],
"package_integrity": [
{
"filename": "arnext-0.1.5.tgz",
"hashes": {
"sha1": "78cb8b76d6121346c161667b673a33fa6a63225b",
"sha512_sri": "sha512-xeOTqVjr08pfSqysAnYeEWb54V2/wuk4YVKZ+QVHCp5MA5n10CIfV/pUpWT5VfV/m7S/V3cTUeNJ/Lrz58bNWQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "arnext"
},
"versions": [
"0.1.5"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004828",
"import_time": "2026-05-26T05:53:21.797683398Z",
"modified_time": "2026-05-26T01:01:07Z",
"sha256": "9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f",
"source": "amazon-inspector",
"versions": [
"0.1.5"
]
},
{
"import_time": "2026-06-04T22:42:01.227855Z",
"modified_time": "2026-06-04T22:28:51.769005667Z",
"sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
"source": "google-open-source-security",
"versions": [
"0.1.5"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9d689a27b5cc929562b684a7181549d3770de331a9f57120881d8060294b6e5f)\npackage.json declares `\"preinstall\": \"./vendor/setup\"`, which runs a 976,568-byte Linux ELF binary on every `npm install`. The package\u0027s stated purpose is a small React/Next.js Arweave routing helper (dist/esm/index.js) \u2014 there is no documented or structural reason for it to ship or execute a native binary. The binary is packed/obfuscated (mostly non-printable string output, no README or docs explaining its role) and is invoked solely from the install lifecycle hook, with no source, build script, or hash verification accompanying it. Extracted strings include LIBBPF_0.0, ~PTRACE, /proc references, USERPROFILE, https://, HTTP/1.1, GitHub API version `2022-11-28`, Ed25519, RSA_PKCS1_, and POST/DELETE verbs \u2014 fingerprints consistent with a credential-harvesting / GitHub-API-abusing payload with anti-debug instrumentation. The binary is not version-pinned to any publisher release, not hash-verified, and the package\u0027s advertised purpose is unrelated to any of the binary\u0027s apparent capabilities. This matches the opaque-native-binary-with-doc-mismatch and generic-binary-runner-dropper attack patterns: arbitrary attacker-controlled native code executes on every installer\u0027s machine without consent or inspectability.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
"id": "MAL-2026-4482",
"modified": "2026-06-04T23:12:16Z",
"published": "2026-05-26T01:01:07Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/arnext/v/0.1.5"
},
{
"type": "ARTICLE",
"url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
},
{
"type": "ARTICLE",
"url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in arnext (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.