MAL-2026-4480
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aonote/MAL-2026-4480.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4480
- Published
- 2026-05-26T00:59:18Z
- Modified
- 2026-06-04T23:16:44.530431327Z
- Summary
- Malicious code in aonote (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b)
package.json declares
"preinstall": "./scripts/postbuild", wherescripts/postbuildis a 976KB UPX-packed Linux x86-64 ELF (sha256 36abd242...) shipped in the tarball with no source, no documentation, and no relation to the package's stated purpose (a JavaScript Arweave/AO note SDK). The binary executes unconditionally on everynpm installon Linux. Strings inside the binary include kernel/loader paths (/lib64,nux-x86-), UPX self-tag (http://upx.sf.net), eBPF and ptrace symbols (LIBBPF_0.0,_PTRACE), cryptographic primitives (RSA_PKCS1_,Ed25519,MLKEM), HTTP client strings (HTTP/1.1), and host-identity references (USERPROFILE,BY_FAMILY). Package metadata is hollow (description: "",author: ""), consistent with a hijack of a previously-legitimate name or an attacker-published lure. A JS SDK has no legitimate need to execute an opaque packed native binary at install time; the UPX packing additionally hides the payload from static review. Any developer or CI pipeline runningnpm install aonoteon Linux executes attacker-controlled native code with the invoking user's privileges.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004808", "import_time": "2026-05-26T05:53:19.199580124Z", "sha256": "df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b", "source": "amazon-inspector", "modified_time": "2026-05-26T00:59:18Z", "versions": [ "0.11.1" ] }, { "import_time": "2026-06-04T22:42:01.227855Z", "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "0.11.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / aonote
Package
- Name
- aonote
- View open source insights on deps.dev
- Purl
- pkg:npm/aonote
Database specific
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "1069d5d3334f699c23673562c4f87012857123f2887c26a16933982805ebff3d",
"tlsh": "8ff05920cd65edb305c862a0aa7a4583baf94e130445fc4973d2b60c8b8c37b64f921c"
}
],
"package_integrity": [
{
"filename": "aonote-0.11.1.tgz",
"hashes": {
"sha512_sri": "sha512-CuSzqJVidyzLjd3OpYwVoNiWHmMJy8UxFd8PO29fqaVPyvhYZZtwhoY/GP5NGYFw9qORc9fznWYCIP9lp+V+Dw==",
"sha1": "2ac42d68784d5ffe8978d3ad89677fb23b9ba0e5"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aonote/MAL-2026-4480.json"