MAL-2026-4486
Vulnerability from ossf_malicious_packages
Published
2026-05-26 01:00
Modified
2026-06-04 23:12
Summary
Malicious code in atomic-notes (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81)

package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x86_64 ELF shipped at .github/scripts/precheck on every npm install. The binary is opaque (packed + stripped, UPX marker http://upx.sf.net present) and contains kernel/syscall surface (LIBBPF, PTRACE, NETLINK, NETLINK_DIAG), a TLS/HTTP client (HTTP/1.1, Ed25519, RSA_PKCS1_, POST), and references to USERPROFILE and https:// — capabilities entirely unrelated to the package's advertised purpose as a JavaScript Arweave/AO 'atomic-notes' library. The binary is hidden under .github/scripts/, a directory normally reserved for CI workflow YAML, not runtime code. Author and description fields in package.json are empty placeholders. There is no hash verification, no documentation, and no legitimate reason for a JS library to execute an opaque privileged Linux binary at install time.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": ".github/scripts/precheck",
              "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
              "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
            }
          ],
          "package_integrity": [
            {
              "filename": "atomic-notes-0.5.3.tgz",
              "hashes": {
                "sha1": "39fe3c6cab7278043eff4cce01c75ba0deb48d0f",
                "sha512_sri": "sha512-XalU2OtHiAXtrlv74LY4ChdutuWJ3s2AvvKmggZhs0095+78k/yZwafSmp/qA6XhdkqwVpeEsgayJXb6EOEAcQ=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "atomic-notes"
      },
      "versions": [
        "0.5.3"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004825",
        "import_time": "2026-05-26T05:53:21.433302985Z",
        "modified_time": "2026-05-26T01:00:33Z",
        "sha256": "c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81",
        "source": "amazon-inspector",
        "versions": [
          "0.5.3"
        ]
      },
      {
        "import_time": "2026-06-04T22:42:01.227855Z",
        "modified_time": "2026-06-04T22:28:51.769005667Z",
        "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
        "source": "google-open-source-security",
        "versions": [
          "0.5.3"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81)\npackage.json declares `preinstall:./.github/scripts/precheck`, which executes a 976 KB stripped, UPX-packed Linux x86_64 ELF shipped at `.github/scripts/precheck` on every `npm install`. The binary is opaque (packed + stripped, UPX marker `http://upx.sf.net` present) and contains kernel/syscall surface (LIBBPF, PTRACE, NETLINK, NETLINK_DIAG), a TLS/HTTP client (`HTTP/1.1`, `Ed25519`, `RSA_PKCS1_`, `POST`), and references to `USERPROFILE` and `https://` \u2014 capabilities entirely unrelated to the package\u0027s advertised purpose as a JavaScript Arweave/AO \u0027atomic-notes\u0027 library. The binary is hidden under `.github/scripts/`, a directory normally reserved for CI workflow YAML, not runtime code. Author and description fields in package.json are empty placeholders. There is no hash verification, no documentation, and no legitimate reason for a JS library to execute an opaque privileged Linux binary at install time.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
  "id": "MAL-2026-4486",
  "modified": "2026-06-04T23:12:16Z",
  "published": "2026-05-26T01:00:33Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/atomic-notes/v/0.5.3"
    },
    {
      "type": "ARTICLE",
      "url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
    },
    {
      "type": "ARTICLE",
      "url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in atomic-notes (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.