MAL-2026-4486

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atomic-notes/MAL-2026-4486.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4486

Published

2026-05-26T01:00:33Z

Modified

2026-05-26T06:02:14.605615362Z

Summary

Malicious code in atomic-notes (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81)

package.json declares preinstall:./.github/scripts/precheck, which executes a 976 KB stripped, UPX-packed Linux x8664 ELF shipped at .github/scripts/precheck on every npm install. The binary is opaque (packed + stripped, UPX marker http://upx.sf.net present) and contains kernel/syscall surface (LIBBPF, PTRACE, NETLINK, NETLINKDIAG), a TLS/HTTP client (HTTP/1.1, Ed25519, RSA_PKCS1_, POST), and references to USERPROFILE and https:// — capabilities entirely unrelated to the package's advertised purpose as a JavaScript Arweave/AO 'atomic-notes' library. The binary is hidden under .github/scripts/, a directory normally reserved for CI workflow YAML, not runtime code. Author and description fields in package.json are empty placeholders. There is no hash verification, no documentation, and no legitimate reason for a JS library to execute an opaque privileged Linux binary at install time.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81",
            "modified_time": "2026-05-26T01:00:33Z",
            "versions": [
                "0.5.3"
            ],
            "id": "IN-MAL-2026-004825",
            "import_time": "2026-05-26T05:53:21.433302985Z"
        }
    ]
}

References

https://www.npmjs.com/package/atomic-notes/v/0.5.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / atomic-notes

Package

Name: atomic-notes; View open source insights on deps.dev
Purl: pkg:npm/atomic-notes

Affected ranges

Affected versions

0.*

0.5.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atomic-notes/MAL-2026-4486.json"

indicators

{
    "package_integrity": [
        {
            "filename": "atomic-notes-0.5.3.tgz",
            "hashes": {
                "sha1": "39fe3c6cab7278043eff4cce01c75ba0deb48d0f",
                "sha512_sri": "sha512-XalU2OtHiAXtrlv74LY4ChdutuWJ3s2AvvKmggZhs0095+78k/yZwafSmp/qA6XhdkqwVpeEsgayJXb6EOEAcQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": ".github/scripts/precheck",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]