MAL-2026-4566
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318)
package.json declares "preinstall": "./bin/install-deps", causing npm to execute a ~954KB packed Linux ELF binary on every install. The package advertises itself as a tiny JSON-based functional language built on Ramda, and the actual library at dist/cjs/index.js is ~1.8KB of pure JavaScript with no native dependency — there is no legitimate reason for a native install helper. Strings extracted from the shipped binary include HTTP/1.1, POST/DELETE verbs, GitHub API version 2022-11-28, USERPROFILE, TLS/crypto primitives (RSA_PKCS1_, Ed25519), PTRACE, and LIBBPF_0.0 — a feature set (HTTP client + GitHub API + ptrace + crypto) wholly unrelated to a JSON parser. The binary is packed and opaque to static review. The combination of (a) auto-execution at install time via preinstall, (b) shipped opaque native binary, (c) capability set entirely unrelated to the package's declared purpose, and (d) absent source/build manifest matches the install-time dropper pattern: arbitrary attacker-controlled code runs on every installer's machine on npm install.
Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "package.json",
"sha256": "bdf3472b6bbee1d09c46c67c850f2f57afea55b46f30daa9359d4cebe06b8469",
"tlsh": "22f0f030d8319ea318d961e8187a01a3a6a258039498fc1c33dba20d8e0e65b24fd9bd"
},
{
"path": "bin/install-deps",
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
}
],
"package_integrity": [
{
"filename": "fpjson-lang-0.1.7.tgz",
"hashes": {
"sha1": "a3ccfcb005e6f2c8bb2dfe1863097026501727ce",
"sha512_sri": "sha512-mmKbSWMXEkJ/ZhNxOaNF+Psxyd7izGU0syF90qTyySelSVoO61hHMCXgOng2iHgXDrbPGof6Bd//BjWcotHb/w=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "fpjson-lang"
},
"versions": [
"0.1.7"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004819",
"import_time": "2026-05-26T05:53:20.664155847Z",
"modified_time": "2026-05-26T01:00:25Z",
"sha256": "38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318",
"source": "amazon-inspector",
"versions": [
"0.1.7"
]
},
{
"import_time": "2026-06-04T22:42:01.227855Z",
"modified_time": "2026-06-04T22:28:51.769005667Z",
"sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
"source": "google-open-source-security",
"versions": [
"0.1.7"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318)\npackage.json declares `\"preinstall\": \"./bin/install-deps\"`, causing npm to execute a ~954KB packed Linux ELF binary on every install. The package advertises itself as a tiny JSON-based functional language built on Ramda, and the actual library at dist/cjs/index.js is ~1.8KB of pure JavaScript with no native dependency \u2014 there is no legitimate reason for a native install helper. Strings extracted from the shipped binary include HTTP/1.1, POST/DELETE verbs, GitHub API version `2022-11-28`, `USERPROFILE`, TLS/crypto primitives (`RSA_PKCS1_`, `Ed25519`), `PTRACE`, and `LIBBPF_0.0` \u2014 a feature set (HTTP client + GitHub API + ptrace + crypto) wholly unrelated to a JSON parser. The binary is packed and opaque to static review. The combination of (a) auto-execution at install time via preinstall, (b) shipped opaque native binary, (c) capability set entirely unrelated to the package\u0027s declared purpose, and (d) absent source/build manifest matches the install-time dropper pattern: arbitrary attacker-controlled code runs on every installer\u0027s machine on `npm install`.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
"id": "MAL-2026-4566",
"modified": "2026-06-04T23:12:17Z",
"published": "2026-05-26T01:00:25Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/fpjson-lang/v/0.1.7"
},
{
"type": "ARTICLE",
"url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
},
{
"type": "ARTICLE",
"url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in fpjson-lang (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.