MAL-2026-4545
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cwao-tools/MAL-2026-4545.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4545
- Published
- 2026-05-26T01:00:18Z
- Modified
- 2026-06-04T23:16:44.846933703Z
- Summary
- Malicious code in cwao-tools (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (821b56cf14d7125df010804baf204325703e58d8f238fc0f219bf82652d99f31)
package.json declares "preinstall": "./scripts/postbuild", and scripts/postbuild is a 976,568-byte stripped Linux x86 ELF (sha256 36abd242…). The package advertises itself as a Node.js CosmWasm/AO contract scaffolding tool — a pure JavaScript use case with no documented native component. Nothing in README or index.js references this binary or any native build step, and no source for it is shipped. Strings extracted from the binary include LIBBPF, PTRACE, NETLINK_DIAG, RSA, Ed25519, HTTP/1.1, TLS, and USERPROFILE — kernel-introspection (eBPF/ptrace), cryptographic, and HTTP/TLS capability that has no relationship to scaffolding code generation. The script is named
postbuilddespite being wired to thepreinstalllifecycle hook, a cover-story naming choice consistent with evading casual review. Runningnpm install cwao-toolsimmediately executes this opaque native binary with the installer's privileges, giving the publisher arbitrary code execution on the installer's machine on every install.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:53:20.246302143Z", "versions": [ "0.3.1" ], "sha256": "821b56cf14d7125df010804baf204325703e58d8f238fc0f219bf82652d99f31", "id": "IN-MAL-2026-004815", "source": "amazon-inspector", "modified_time": "2026-05-26T01:00:18Z" }, { "import_time": "2026-06-04T22:42:01.227855Z", "versions": [ "0.3.1" ], "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / cwao-tools
Package
- Name
- cwao-tools
- View open source insights on deps.dev
- Purl
- pkg:npm/cwao-tools
Database specific
indicators
{
"evidence_files": [
{
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
"path": "scripts/postbuild"
},
{
"sha256": "b2f09767e2c1d9ca43810ae70e1ace5712f289eee1aeb5c5effe0504bf65aea6",
"tlsh": "77e08c30cc719a2300c412f4287aa903a9a20c230118fc4c33c3961cebad55b34be92d",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-cscHaTNvdw8CKZ+G2iEjWpj2WnOidPCnmLKuHJzVweQPWdTaQd8i02oi4pDDrp8jCImLUQI+hHPKXnMzxOUV8Q==",
"sha1": "266e73bc3a9903dbd58b0eb92aeb5c1fc4b2c1f8"
},
"filename": "cwao-tools-0.3.1.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cwao-tools/MAL-2026-4545.json"