MAL-2026-4663
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/roidjs/MAL-2026-4663.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4663
- Published
- 2026-05-26T01:01:11Z
- Modified
- 2026-06-04T23:16:45.506760514Z
- Summary
- Malicious code in roidjs (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (46b2c3afc1b9dd20ecad5f3b47c333e8324500e3d0102df362aa7c11a60469a0)
package.json declares
"preinstall": "./bin/install-deps", which causesnpm install roidjsto auto-executebin/install-deps— a 976,568-byte Linux x86_64 ELF whose embedded strings includeLIBBPF_0.0,PTRACE,NETLINK,RSA_PKCS1_,Ed25519,https://,HTTP/1.1,POST, andUSERPROFILE. The package advertises itself as a tiny React+Recoil state helper (the actual JS in dist/cjs/index.js is ~1.7 KB of pure JavaScript) and has no documented native dependency that would justify shipping or running such a binary. The capabilities suggested by the binary's strings (eBPF, ptrace, NETLINK, outbound HTTPS POST, cross-platform user-profile path handling, asymmetric crypto) are inconsistent with a state-management library. The publisher provides no source for the binary, no build manifest, no checksum, and no integrity verification — the installer has no way to know what runs as their user when the lifecycle hook fires. The shape (opaque native dropper invoked from preinstall, purpose mismatch with package description, no provenance) matches the generic-binary-runner-dropper pattern.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "46b2c3afc1b9dd20ecad5f3b47c333e8324500e3d0102df362aa7c11a60469a0", "import_time": "2026-05-26T05:53:22.010804867Z", "source": "amazon-inspector", "modified_time": "2026-05-26T01:01:11Z", "versions": [ "0.1.7" ], "id": "IN-MAL-2026-004830" }, { "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "import_time": "2026-06-04T22:42:01.227855Z", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "0.1.7" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / roidjs
Package
- Name
- roidjs
- View open source insights on deps.dev
- Purl
- pkg:npm/roidjs
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/roidjs/MAL-2026-4663.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "46dc388de6c52d50c3f1ce0dbe0c339931de8c04273a5bac5ad926ae4e2d2703",
"tlsh": "0ff0e930c8319db318d975f458360293e6b24857949cfc1833c7660c4a4d69b20fd5fd",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "roidjs-0.1.7.tgz",
"hashes": {
"sha1": "c8a1a35d0ba8916b045b311e5f7672bcd2c678b0",
"sha512_sri": "sha512-NMkcli3Y234hgSS57pe2uxmDTaPxy6XgPFFEZe2BSOJm2H12tdHVU0HhfLEXXlPyl0h2zLFuoWQi/068RPh7wQ=="
}
}
]
}