MAL-2026-4712
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/warp-contracts-plugin-deploy-test/MAL-2026-4712.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4712
- Published
- 2026-05-26T01:00:15Z
- Modified
- 2026-06-04T23:16:41.679489570Z
- Summary
- Malicious code in warp-contracts-plugin-deploy-test (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444)
Package name
warp-contracts-plugin-deploy-testmimics the legitimatewarp-contracts-plugin-deployand copies its public API surface (lib/cjs/index.js re-exports DeployPlugin, CreateContractImpl, SourceImpl, Arweave/Ethereum signers identical to the genuine package). package.json declares"preinstall": "./bin/install-deps"wherebin/install-depsis a 976,568-byte packed Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a TypeScript Warp Contracts deploy plugin — there is no native source tree, no node-gyp/binding.gyp, no documented purpose for shipping a Linux ELF helper. Readable strings in the binary (LIBBPF, PTRACE, NETLINK_DIAG, HTTP/1.1, https://, USERPROFILE) are inconsistent with any deploy-plugin function and consistent with a host-implant payload. Onnpm install, the binary runs with the installer's privileges, executing attacker-supplied compiled code that the scanner cannot inspect.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444", "import_time": "2026-05-26T05:53:20.064460109Z", "source": "amazon-inspector", "modified_time": "2026-05-26T01:00:15Z", "versions": [ "3.0.1" ], "id": "IN-MAL-2026-004814" }, { "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "import_time": "2026-06-04T22:42:01.227855Z", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "3.0.1" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / warp-contracts-plugin-deploy-test
Package
- Name
- warp-contracts-plugin-deploy-test
- View open source insights on deps.dev
- Purl
- pkg:npm/warp-contracts-plugin-deploy-test
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/warp-contracts-plugin-deploy-test/MAL-2026-4712.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "e64f42c8e66746830d5a675f8836e623a3f1fa6fe88795e47a1e84b44ab2b747",
"tlsh": "fa31ae20cf598c7322d46635f869c6836a7985a71c59fc0473e2a37c4f0c7af12b52ae",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "warp-contracts-plugin-deploy-test-3.0.1.tgz",
"hashes": {
"sha1": "363f840495eb1045c5068359f30f2664828e4a32",
"sha512_sri": "sha512-+FMOSw41u87GSxq7KMyvBoU7fqABE0PKsN2GJ5s8mnjt1DIWiB2H2JfI5O7XJ2V+PcgCv4chF3575XqamdXMew=="
}
}
]
}