MAL-2026-5189

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arjson/MAL-2026-5189.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5189
Published
2026-06-04T22:27:40Z
Modified
2026-06-12T20:01:47.019483903Z
Summary
Malicious code in arjson (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197)

package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under .github/scripts/ (a path designed to look like CI tooling). The binary has no accompanying source, is compressed with UPX (http://upx.sf.net banner present in the packed image) to defeat static inspection, and its embedded strings reveal capabilities far beyond anything a JSON serialization library would require: libbpf/eBPF (LIBBPF_0.0), kernel tracing (PTRACE), netlink socket-diag enumeration (NETLINK_*_DIAG, INODE), HTTP client primitives (HTTP/1.1, POST, DELETE), GitHub API client (2022-11-28), Windows path handling (USERPROFILE), and asymmetric crypto (Ed25519, MLKEM, RSAPKCS1). Any developer or CI system running npm install arjson on Linux will execute opaque packed native code with kernel-level introspection and HTTP-exfiltration capability. The package is advertised as a JSON library; no legitimate purpose exists for shipping a packed eBPF/HTTP-capable preinstall binary.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.4"
            ],
            "import_time": "2026-06-04T22:42:01.227855Z",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security"
        },
        {
            "versions": [
                "0.1.4"
            ],
            "import_time": "2026-06-12T19:44:11.095315849Z",
            "modified_time": "2026-06-12T19:09:35Z",
            "id": "IN-MAL-2026-006127",
            "sha256": "00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / arjson

Package

Affected ranges

Affected versions

0.*
0.1.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arjson/MAL-2026-5189.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "3a327976602c78a813813713716657dd26b00a82",
                "sha512_sri": "sha512-+m6kNJ+Y5Fe1w7YiVJcXByTSBcFsz/Fil5E73+FdSGFkf6z09EXHK0Cyykf7uUfYTe3PL3UzHBGlKdCpP4LnEg=="
            },
            "filename": "arjson-0.1.4.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": ".github/scripts/precheck",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
        }
    ]
}