Vulnerability-Lookup

MAL-2026-4712

Vulnerability from ossf_malicious_packages

Published

2026-05-26 01:00

Modified

2026-06-04 23:12

Summary

Malicious code in warp-contracts-plugin-deploy-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444)

Package name warp-contracts-plugin-deploy-test mimics the legitimate warp-contracts-plugin-deploy and copies its public API surface (lib/cjs/index.js re-exports DeployPlugin, CreateContractImpl, SourceImpl, Arweave/Ethereum signers identical to the genuine package). package.json declares "preinstall": "./bin/install-deps" where bin/install-deps is a 976,568-byte packed Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a TypeScript Warp Contracts deploy plugin — there is no native source tree, no node-gyp/binding.gyp, no documented purpose for shipping a Linux ELF helper. Readable strings in the binary (LIBBPF, PTRACE, NETLINK_DIAG, HTTP/1.1, https://, USERPROFILE) are inconsistent with any deploy-plugin function and consistent with a host-implant payload. On npm install, the binary runs with the installer's privileges, executing attacker-supplied compiled code that the scanner cannot inspect.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

CWE

CWE-506 - The product contains code that appears to be malicious in nature.

Credits

Amazon Inspector actran@amazon.com

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "package.json",
              "sha256": "e64f42c8e66746830d5a675f8836e623a3f1fa6fe88795e47a1e84b44ab2b747",
              "tlsh": "fa31ae20cf598c7322d46635f869c6836a7985a71c59fc0473e2a37c4f0c7af12b52ae"
            }
          ],
          "package_integrity": [
            {
              "filename": "warp-contracts-plugin-deploy-test-3.0.1.tgz",
              "hashes": {
                "sha1": "363f840495eb1045c5068359f30f2664828e4a32",
                "sha512_sri": "sha512-+FMOSw41u87GSxq7KMyvBoU7fqABE0PKsN2GJ5s8mnjt1DIWiB2H2JfI5O7XJ2V+PcgCv4chF3575XqamdXMew=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "warp-contracts-plugin-deploy-test"
      },
      "versions": [
        "3.0.1"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004814",
        "import_time": "2026-05-26T05:53:20.064460109Z",
        "modified_time": "2026-05-26T01:00:15Z",
        "sha256": "ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444",
        "source": "amazon-inspector",
        "versions": [
          "3.0.1"
        ]
      },
      {
        "import_time": "2026-06-04T22:42:01.227855Z",
        "modified_time": "2026-06-04T22:28:51.769005667Z",
        "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
        "source": "google-open-source-security",
        "versions": [
          "3.0.1"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444)\nPackage name `warp-contracts-plugin-deploy-test` mimics the legitimate `warp-contracts-plugin-deploy` and copies its public API surface (lib/cjs/index.js re-exports DeployPlugin, CreateContractImpl, SourceImpl, Arweave/Ethereum signers identical to the genuine package). package.json declares `\"preinstall\": \"./bin/install-deps\"` where `bin/install-deps` is a 976,568-byte packed Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a TypeScript Warp Contracts deploy plugin \u2014 there is no native source tree, no node-gyp/binding.gyp, no documented purpose for shipping a Linux ELF helper. Readable strings in the binary (LIBBPF, PTRACE, NETLINK_DIAG, HTTP/1.1, https://, USERPROFILE) are inconsistent with any deploy-plugin function and consistent with a host-implant payload. On `npm install`, the binary runs with the installer\u0027s privileges, executing attacker-supplied compiled code that the scanner cannot inspect.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim\u0027s repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n",
  "id": "MAL-2026-4712",
  "modified": "2026-06-04T23:12:21Z",
  "published": "2026-05-26T01:00:15Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/warp-contracts-plugin-deploy-test/v/3.0.1"
    },
    {
      "type": "ARTICLE",
      "url": "http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"
    },
    {
      "type": "ARTICLE",
      "url": "https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in warp-contracts-plugin-deploy-test (npm)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted