MAL-2026-4483
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0)
package.json declares "preinstall": "./bin/install-deps", which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on every npm install. Strings inside the ELF include LIBBPF, PTRACE, HTTP/1.1, POST, USERPROFILE, and Ed25519 — capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweave arkb tool: it declares "bin": { "arkb": "./bin/app.js" } so npx arkb resolves to this package, its commands.js duplicates the real arkb help output (arkb ${command + usage}), and it lists @textury/ardb as a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runs npm install arnext-arkb (or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.
Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "package.json",
"sha256": "1326a193fcc0f4f022762475e9112da1506582476623411e15de7e95002c9593",
"tlsh": "11110111cea0dde309c89aea18ba561ab09068578d04fd0c3393a70d8f0d22f3275e5e"
}
],
"package_integrity": [
{
"filename": "arnext-arkb-0.0.2.tgz",
"hashes": {
"sha1": "27b563ca40225feb4666da2e73d3055c9ade39da",
"sha512_sri": "sha512-SQCFHZundGARMD67wjNlSAOh8Rr1fM5euh0fDDF4NiSrE16w/+k6KTORf9EAZCtbYEeabxf+92vjEG5HfxmMXg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "arnext-arkb"
},
"versions": [
"0.0.2"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004832",
"import_time": "2026-05-26T05:53:22.219304061Z",
"modified_time": "2026-05-26T01:01:13Z",
"sha256": "87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0",
"source": "amazon-inspector",
"versions": [
"0.0.2"
]
},
{
"import_time": "2026-06-04T22:42:01.227855Z",
"modified_time": "2026-06-04T22:28:51.769005667Z",
"sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
"source": "google-open-source-security",
"versions": [
"0.0.2"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0)\npackage.json declares `\"preinstall\": \"./bin/install-deps\"`, which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on every `npm install`. Strings inside the ELF include `LIBBPF`, `PTRACE`, `HTTP/1.1`, `POST`, `USERPROFILE`, and `Ed25519` \u2014 capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweave `arkb` tool: it declares `\"bin\": { \"arkb\": \"./bin/app.js\" }` so `npx arkb` resolves to this package, its commands.js duplicates the real arkb help output (`arkb ${command + usage}`), and it lists `@textury/ardb` as a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runs `npm install arnext-arkb` (or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
"id": "MAL-2026-4483",
"modified": "2026-06-04T23:12:16Z",
"published": "2026-05-26T01:01:13Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/arnext-arkb/v/0.0.2"
},
{
"type": "ARTICLE",
"url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
},
{
"type": "ARTICLE",
"url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in arnext-arkb (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.