MAL-2026-4483
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arnext-arkb/MAL-2026-4483.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4483
- Published
- 2026-05-26T01:01:13Z
- Modified
- 2026-06-04T23:16:44.568593412Z
- Summary
- Malicious code in arnext-arkb (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0)
package.json declares
"preinstall": "./bin/install-deps", which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on everynpm install. Strings inside the ELF includeLIBBPF,PTRACE,HTTP/1.1,POST,USERPROFILE, andEd25519— capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweavearkbtool: it declares"bin": { "arkb": "./bin/app.js" }sonpx arkbresolves to this package, its commands.js duplicates the real arkb help output (arkb ${command + usage}), and it lists@textury/ardbas a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runsnpm install arnext-arkb(or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-004832", "modified_time": "2026-05-26T01:01:13Z", "source": "amazon-inspector", "versions": [ "0.0.2" ], "sha256": "87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0", "import_time": "2026-05-26T05:53:22.219304061Z" }, { "modified_time": "2026-06-04T22:28:51.769005667Z", "source": "google-open-source-security", "versions": [ "0.0.2" ], "import_time": "2026-06-04T22:42:01.227855Z", "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / arnext-arkb
Package
- Name
- arnext-arkb
- View open source insights on deps.dev
- Purl
- pkg:npm/arnext-arkb
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arnext-arkb/MAL-2026-4483.json"
indicators
{
"evidence_files": [
{
"tlsh": "11110111cea0dde309c89aea18ba561ab09068578d04fd0c3393a70d8f0d22f3275e5e",
"path": "package.json",
"sha256": "1326a193fcc0f4f022762475e9112da1506582476623411e15de7e95002c9593"
}
],
"package_integrity": [
{
"filename": "arnext-arkb-0.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-SQCFHZundGARMD67wjNlSAOh8Rr1fM5euh0fDDF4NiSrE16w/+k6KTORf9EAZCtbYEeabxf+92vjEG5HfxmMXg==",
"sha1": "27b563ca40225feb4666da2e73d3055c9ade39da"
}
}
]
}