MAL-2026-4538

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/create-arnext-app/MAL-2026-4538.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4538

Published

2026-05-26T01:01:13Z

Modified

2026-06-04T23:16:44.634840347Z

Summary

Malicious code in create-arnext-app (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)

The package declares "preinstall": "./.github/scripts/precheck" in package.json, which invokes a 976KB stripped Linux x8664 ELF binary hidden under .github/scripts/. The binary auto-executes unconditionally on npm install. Strings extracted from the binary reveal capabilities entirely inconsistent with the package's stated purpose (a create-*-app template scaffolder that copies a directory and runs yarn): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, https:// endpoints, RSAPKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in .github/scripts/, an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate create-next-app family, increasing the chance of confused-install. Installer impact: any developer running npm install create-arnext-app executes attacker-controlled native code on their machine with their privileges — equivalent to remote code execution.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667",
            "modified_time": "2026-05-26T01:01:13Z",
            "id": "IN-MAL-2026-004831",
            "import_time": "2026-05-26T05:53:22.104844755Z",
            "versions": [
                "0.0.10"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "0.0.10"
            ],
            "import_time": "2026-06-04T22:42:01.227855Z",
            "source": "google-open-source-security"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / create-arnext-app

Package

Name: create-arnext-app; View open source insights on deps.dev
Purl: pkg:npm/create-arnext-app

Affected ranges

Affected versions

0.*

0.0.10

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/create-arnext-app/MAL-2026-4538.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "c9df3b26b0e9e32780c61e586d26bd012ecee272",
                "sha512_sri": "sha512-pNlPBDOVVns+AVU94s6K7l1IbcI5YzvjBvMCVXbPfGRUTr3iGRNMgDD3pDKmFiHggZJhjeWTzxFcURPC5IxN/g=="
            },
            "filename": "create-arnext-app-0.0.10.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": ".github/scripts/precheck",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
        },
        {
            "sha256": "6c8d6d349eed97d54268c21eccbc7a8e87be95a8a729de931742ef14d16da745",
            "path": "package.json",
            "tlsh": "69e0c270cd71593304ca26aa647a5a02ba930c230008fc2423c3d21c979c92724be89d"
        }
    ]
}