MAL-2026-4689

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-ajs/MAL-2026-4689.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4689

Published

2026-05-26T01:00:07Z

Modified

2026-06-04T23:16:45.913741388Z

Summary

Malicious code in test-ajs (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (851b521e3dde5ea11478cd37cc4bf8da2f0a0ca1864d6c39fa27fd02ef0f9308)

test-ajs advertises a ~2KB React/Recoil helper (dist/cjs/index.js, 2169 bytes, exporting Roid/inject glue over react+recoil) but ships a ~976KB Linux ELF at bin/install-deps and runs it unconditionally via package.json's preinstall hook ("preinstall": "./bin/install-deps"). The package declares no native build tooling — no binding.gyp, no C/C++ or Rust source, no node-gyp / prebuild-install / cmake-js — so there is no legitimate reason for a native binary to exist, let alone execute on every npm install. The binary's embedded strings indicate HTTP client behavior (HTTP/1.1, POST, DELETE, https://), modern asymmetric crypto (RSAPKCS1, Ed25519, MLKEM, X448), a GitHub API version pin (2022-11-28), and host-environment references (USERPROFILE, PATH) — the fingerprint of an outbound-network agent with credential/key handling, completely unrelated to a 2KB React binding. The cover-story name ("install-deps") is misleading: the JavaScript surface contains no dependency-resolution logic the binary could be assisting. Any developer or CI runner that installs this package executes attacker-controlled native code with the installer's privileges before any review of package contents is possible.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004811",
            "versions": [
                "0.1.19"
            ],
            "sha256": "851b521e3dde5ea11478cd37cc4bf8da2f0a0ca1864d6c39fa27fd02ef0f9308",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:00:07Z",
            "import_time": "2026-05-26T05:53:19.709101656Z"
        },
        {
            "versions": [
                "0.1.19"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "import_time": "2026-06-04T22:42:01.227855Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / test-ajs

Package

Name: test-ajs; View open source insights on deps.dev
Purl: pkg:npm/test-ajs

Affected ranges

Affected versions

0.*

0.1.19

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "8ff534522c544f905727bb14bf6d71ad6688a6dbec5fbdfb16d19429940b2c66",
            "tlsh": "e9f0e930c8719db318d975f458361293e6b24857949cfc1833cb670c4a4e69710fd5bd"
        },
        {
            "path": "bin/install-deps",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
        }
    ],
    "package_integrity": [
        {
            "filename": "test-ajs-0.1.19.tgz",
            "hashes": {
                "sha512_sri": "sha512-bHrK7hQfgpPbHqBOM5FKpEWUiwduXux9ZD8zohOB16l79P1lsaedvsrams6zTv0FtFlib8Fz4jS3qkVfOJ4tkg==",
                "sha1": "bb66f6af4d55eaffec7b88baa8a9335dfe234290"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-ajs/MAL-2026-4689.json"