MAL-2026-4739
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zkjson/MAL-2026-4739.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4739
- Published
- 2026-05-26T00:59:30Z
- Modified
- 2026-06-04T23:16:43.431922316Z
- Summary
- Malicious code in zkjson (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816)
package.json declares
"preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped inside the tarball at.github/scripts/precheck. The binary runs automatically with the installer's privileges on everynpm install. The package self-describes as a pure-JS 'Zero Knowledge Provable JSON' library whosemainexports only JS classes fromcjs/index.js; there is no source, build script, documentation, or stated purpose justifying a native executable. Extracted strings indicate HTTP-client primitives (HTTP/1.1,POST,GET,Host:,https://) and OAuth-related tokens, consistent with a network-active payload. There is no version pinning, no hash verification, and no reproducible build path for the binary — the published bytes are the only artifact installers receive. Shipping an opaque networked ELF as a preinstall hook in a library that advertises no native component is the canonical install-time dropper shape and gives the publisher arbitrary code execution on every installer's machine.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:53:19.583301181Z", "versions": [ "0.8.5" ], "sha256": "758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816", "id": "IN-MAL-2026-004810", "source": "amazon-inspector", "modified_time": "2026-05-26T00:59:30Z" }, { "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "0.8.5" ], "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "import_time": "2026-06-04T22:42:01.227855Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / zkjson
Package
- Name
- zkjson
- View open source insights on deps.dev
- Purl
- pkg:npm/zkjson
Database specific
indicators
{
"evidence_files": [
{
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
"path": ".github/scripts/precheck"
}
],
"package_integrity": [
{
"filename": "zkjson-0.8.5.tgz",
"hashes": {
"sha512_sri": "sha512-EHTv+P/2UWsYZ2z7NvlS9nJ9A0DTPYo/aWNDIGVIhKRKeFMXus83+Bg8b5Z1oyse2RlY402o/3HEJyjdOyJSMQ==",
"sha1": "9eb45e87eaca9900daff4bb64dc0ca2cd2bd9ab4"
}
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zkjson/MAL-2026-4739.json"