MAL-2026-4691
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testnpmnmp/MAL-2026-4691.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4691
- Published
- 2026-05-26T01:00:12Z
- Modified
- 2026-06-04T23:16:45.859958978Z
- Summary
- Malicious code in testnpmnmp (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e82942b1fcdaed1a1085ad9590ef93704e276c5c5ca1622884abac014f03980f)
package.json declares
"preinstall": "./scripts/postbuild", wherescripts/postbuildis a 976,568-byte unsigned, unhashed, unversioned Linux ELF executable shipped in the tarball. The package's only JavaScript source (src/index.js) is a trivial stub that exports() => { console.log("hello") }, with the bundled output (dist/index.cjs.js) matching. Nothing in the package's stated Arweave/Warp-contracts wrapper purpose justifies a native executable, and the binary's embedded strings (LIBBPF_0.0,PTRACE,NETLINK,HTTP/1.1,USERPROFILE,RSA_PKCS1_,Ed25519) indicate credential-handling and network-agent capabilities rather than build tooling. Onnpm install, the binary runs with the installer's privileges before any user inspection; the JS stub is a cover for shipping and executing arbitrary native code. The package nametestnpmnmpand stub source further indicate a throwaway dropper rather than a real library.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "e82942b1fcdaed1a1085ad9590ef93704e276c5c5ca1622884abac014f03980f", "source": "amazon-inspector", "modified_time": "2026-05-26T01:00:12Z", "id": "IN-MAL-2026-004813", "versions": [ "1.0.21" ], "import_time": "2026-05-26T05:53:19.958201736Z" }, { "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "1.0.21" ], "import_time": "2026-06-04T22:42:01.227855Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / testnpmnmp
Package
- Name
- testnpmnmp
- View open source insights on deps.dev
- Purl
- pkg:npm/testnpmnmp
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testnpmnmp/MAL-2026-4691.json"
indicators
{
"evidence_files": [
{
"sha256": "917cfda6f5d0bc7629dd175ba359d9ce80c4f13b882e9cc8ef8b1458fb021828",
"tlsh": "d1f02830cd62da6309d960f11478a387aab59c67448cfc0833c6624d0b5e29b11fe9ac",
"path": "package.json"
},
{
"sha256": "f7cfb8d233e55624838f80566e10ca192c46426a2e84d3adb6eb244dbc784139",
"tlsh": "07f055413bed7172708d20d08a32493a3a23cdb93f487894a2dc72e725d79e883a34f0",
"path": "src/index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-bbkVKearaasNCBSqD+OjMx2JNoCzhNWGRfrlrNlhaCy13r4SCNQHMYV1zkovyVeHEmEzlXKpLUvqOuTrXpvWYA==",
"sha1": "e5fa91f4b94513e1bda934d32567270e8d27d97e"
},
"filename": "testnpmnmp-1.0.21.tgz"
}
]
}