MAL-2026-4547

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cxpher-linux-arm32/MAL-2026-4547.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4547

Published

2026-05-24T18:54:03Z

Modified

2026-05-26T06:02:27.321516126Z

Summary

Malicious code in cxpher-linux-arm32 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7)

The package's main is an ARM ELF binary that, when loaded, mkdtemp's a working directory under /dev/shm/.cxpher.XXXXXX or /tmp/.cxpher.XXXXXX, writes an unpacked JavaScript file (a.js and /tmp/.cxpher-wrap.%d.js), locates node at /usr/local/bin/node or /usr/bin/node, and execvp's node against the unpacked file. The bytes that ultimately run are decoded from an opaque high-entropy blob inside the ELF and are not human-auditable from the published tarball — equivalent to eval(decode(blob)) but in native form. The same binary reads /proc/self/status and parses the TracerPid: field, the canonical Linux anti-ptrace anti-debug check; legitimate native addons do not need this. Package metadata is placeholder (no author, homepage, repository, or README; description is the generic string "Native binary for cxpher on linux-arm32"), and the binary references an alternate environment-variable prefix (AGPK_AUDIO_FD alongside CXPHER_AUDIO_FD) suggesting it was renamed/repurposed from a different project. No documentation describes what code is unpacked and run on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T18:54:03Z",
            "import_time": "2026-05-26T05:52:46.653948545Z",
            "versions": [
                "2.0.22"
            ],
            "id": "IN-MAL-2026-004526"
        }
    ]
}

References

https://www.npmjs.com/package/cxpher-linux-arm32/v/2.0.22

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / cxpher-linux-arm32

Package

Name: cxpher-linux-arm32; View open source insights on deps.dev
Purl: pkg:npm/cxpher-linux-arm32

Affected ranges

Affected versions

2.*

2.0.22

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cxpher-linux-arm32/MAL-2026-4547.json"

indicators

{
    "package_integrity": [
        {
            "filename": "cxpher-linux-arm32-2.0.22.tgz",
            "hashes": {
                "sha1": "b0bd18b89d24b42edeb0895457776ec905dfef9e",
                "sha512_sri": "sha512-1KM/nXR5MjIZ4ZY3Q9hTl2p+yRXOfLJLGE0UvQ53e0uZZ67jU+W9A7iWZx2I/W7VwCraenasHy9QyKjXsSbi1A=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "cXpher",
            "tlsh": "25842319eff39a94d9da43b8ece0d854abb2975a8c5427c1b3ccd0301e5a264c473ee5",
            "sha256": "910b1f8164a8b57fb53840b216cb9c8ea6e50382294b06b7dd63f3592775a173"
        },
        {
            "path": "package.json",
            "tlsh": "7bd05e008620b46318d89a600d6a51895a180eefc3803e10635b630d036826646bd6ad",
            "sha256": "5cac10c8e9444eca93b2a23996c5af289cd85c1dab6e13d56cbfa047ec867daf"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]