MAL-2026-4546

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cwao-units/MAL-2026-4546.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4546

Published

2026-05-26T01:00:27Z

Modified

2026-06-04T23:16:44.856983109Z

Summary

Malicious code in cwao-units (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf)

package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976,568-byte Linux x86-64 ELF binary shipped in the tarball with no corresponding source, no native build configuration (no binding.gyp, no.c/.cc/.rs files, no node-gyp/cmake-js/prebuild-install tooling), and no mention in README. The package self-describes as a pure-JS Arweave/AO unit runner whose declared dependencies (arweave, express, cors, ramda, weavedb) are all pure JavaScript — there is no legitimate cover story for a platform-specific native binary. Strings inside the ELF include LIBBPF_0.0, PTRACE, NETLINK, HTTP/1.1, https://, Ed25519/RSA/MLKEM crypto primitives, and USERPROFILE, indicating network-capable, BPF/ptrace-capable native code. Every npm install cwao-units executes this opaque binary as the installer's user before the package is even loaded. The filename postbuild is suggestively chosen to mimic a benign build artifact, and the binary is invoked as a preinstall (not postinstall) hook so it fires before any inspection. This matches the canonical opaque-binary dropper pattern: doc-mismatch + thin lifecycle-script wrapper + undocumented native code with networking/tracing primitives.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:20.961988129Z",
            "versions": [
                "0.8.3"
            ],
            "sha256": "94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf",
            "id": "IN-MAL-2026-004821",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:00:27Z"
        },
        {
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "0.8.3"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "import_time": "2026-06-04T22:42:01.227855Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cwao-units

Package

Name: cwao-units; View open source insights on deps.dev
Purl: pkg:npm/cwao-units

Affected ranges

Affected versions

0.*

0.8.3

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "c95a8db88750d63cfd2b2bf537ffb9c302da16b4a80075421468b592959d2677",
            "tlsh": "7b01f470ed11cdb308c562fa28354256a56158275c84fc9c33c6eb0c8f9d86f32b9d2d",
            "path": "package.json"
        },
        {
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "path": "scripts/postbuild"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Gsp881+Ji5JZAh6QCfYeQvUkvygcGGmbPx/GoGi7+oisX5UnpuZ830pPvXjSxuMnnvgopmNobr6yJ1Q8XNMdMw==",
                "sha1": "535e79c05de7e50c70adba627bc649e8380ad243"
            },
            "filename": "cwao-units-0.8.3.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cwao-units/MAL-2026-4546.json"