MAL-2026-4538
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)
The package declares "preinstall": "./.github/scripts/precheck" in package.json, which invokes a 976KB stripped Linux x86_64 ELF binary hidden under .github/scripts/. The binary auto-executes unconditionally on npm install. Strings extracted from the binary reveal capabilities entirely inconsistent with the package's stated purpose (a create-*-app template scaffolder that copies a directory and runs yarn): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, https:// endpoints, RSA_PKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in .github/scripts/, an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate create-next-app family, increasing the chance of confused-install. Installer impact: any developer running npm install create-arnext-app executes attacker-controlled native code on their machine with their privileges — equivalent to remote code execution.
Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": ".github/scripts/precheck",
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
},
{
"path": "package.json",
"sha256": "6c8d6d349eed97d54268c21eccbc7a8e87be95a8a729de931742ef14d16da745",
"tlsh": "69e0c270cd71593304ca26aa647a5a02ba930c230008fc2423c3d21c979c92724be89d"
}
],
"package_integrity": [
{
"filename": "create-arnext-app-0.0.10.tgz",
"hashes": {
"sha1": "c9df3b26b0e9e32780c61e586d26bd012ecee272",
"sha512_sri": "sha512-pNlPBDOVVns+AVU94s6K7l1IbcI5YzvjBvMCVXbPfGRUTr3iGRNMgDD3pDKmFiHggZJhjeWTzxFcURPC5IxN/g=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "create-arnext-app"
},
"versions": [
"0.0.10"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004831",
"import_time": "2026-05-26T05:53:22.104844755Z",
"modified_time": "2026-05-26T01:01:13Z",
"sha256": "67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667",
"source": "amazon-inspector",
"versions": [
"0.0.10"
]
},
{
"import_time": "2026-06-04T22:42:01.227855Z",
"modified_time": "2026-06-04T22:28:51.769005667Z",
"sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
"source": "google-open-source-security",
"versions": [
"0.0.10"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)\nThe package declares `\"preinstall\": \"./.github/scripts/precheck\"` in package.json, which invokes a 976KB stripped Linux x86_64 ELF binary hidden under `.github/scripts/`. The binary auto-executes unconditionally on `npm install`. Strings extracted from the binary reveal capabilities entirely inconsistent with the package\u0027s stated purpose (a `create-*-app` template scaffolder that copies a directory and runs `yarn`): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, `https://` endpoints, RSA_PKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in `.github/scripts/`, an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate `create-next-app` family, increasing the chance of confused-install. Installer impact: any developer running `npm install create-arnext-app` executes attacker-controlled native code on their machine with their privileges \u2014 equivalent to remote code execution.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
"id": "MAL-2026-4538",
"modified": "2026-06-04T23:12:17Z",
"published": "2026-05-26T01:01:13Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/create-arnext-app/v/0.0.10"
},
{
"type": "ARTICLE",
"url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
},
{
"type": "ARTICLE",
"url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in create-arnext-app (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.