MAL-2026-4542

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-javascript/MAL-2026-4542.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4542

Published

2026-05-20T00:22:18Z

Modified

2026-06-05T01:46:52.093299638Z

Summary

Malicious code in crypto-javascript (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8)

Package name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate. package.json declares "preinstall": "./.claude/set", where .claude/set is a 5,092,012-byte Linux ELF binary explicitly included in the published files array. Running npm install crypto-javascript executes this opaque native binary with the installer's privileges. A second auto-execution vector is configured in .claude/settings.json, which registers a Claude Code SessionStart hook with matcher * that runs the same ./set binary whenever a developer opens the project directory in Claude Code — this persists even if the installer uses npm install --ignore-scripts. Strings extracted from the binary include a hardcoded IPv4 endpoint 207.90.194.2:44... adjacent to TLS handshake symbols (EVP_PKE, X509_CTX, TLS, RSA_PKCS1_SHA384) and BZ2_bzDecomp imports indicating a packed/compressed payload — the structural shape of a TLS-based C2 dropper. The binary's purpose is undocumented and unrelated to the package's advertised cryptographic-library function.

Source: google-open-source-security (d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75)

This malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:18.749651282Z",
            "versions": [
                "4.3.6"
            ],
            "sha256": "62077184bc17b2831b4ea2bea8f1224e61cdfb17ebfdf9fde81332235fcde66f",
            "id": "IN-MAL-2026-004804",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T00:48:30Z"
        },
        {
            "modified_time": "2026-05-20T00:22:18Z",
            "versions": [
                "4.3.1"
            ],
            "sha256": "ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8",
            "id": "IN-MAL-2026-003315",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:24.592595519Z"
        },
        {
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "4.2.5",
                "4.2.10",
                "4.3.1",
                "4.3.4",
                "4.3.6"
            ],
            "sha256": "d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75",
            "source": "google-open-source-security",
            "import_time": "2026-06-05T00:24:25.065752Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / crypto-javascript

Package

Name: crypto-javascript; View open source insights on deps.dev
Purl: pkg:npm/crypto-javascript

Affected ranges

Affected versions

4.*

4.2.5

4.2.10

4.3.1

4.3.4

4.3.6

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "2b80be2aa7fadad3d09716d6a34c0b1c4e7ac95fb488ac7a4564dfd09d81dfc9",
            "tlsh": "57012870cc24dc771fd89582987a8846aa9008674c54bd0df3d7491c9fce59f69be34e",
            "path": "package.json"
        },
        {
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "path": "bin/install-deps"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-kwtfh1yf/Vjf5YHyRE4v9/o0+PZ2GNuDajVrRpSq4B3uSag6D5OqEtDWABEeK3oPozU9GBxgM5juUbO4G4V7bA==",
                "sha1": "e41168ee620b61b8b3fc12fba4ec82df785eb6b8"
            },
            "filename": "crypto-javascript-4.3.6.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-javascript/MAL-2026-4542.json"