MAL-2026-5189

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arjson/MAL-2026-5189.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5189
Published
2026-06-04T22:27:40Z
Modified
2026-06-04T23:16:44.513336369Z
Summary
Malicious code in arjson (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-04T22:42:01.227855Z",
            "versions": [
                "0.1.4"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "source": "google-open-source-security"
        }
    ]
}
References

Affected packages

npm / arjson

Package

Name
arjson
View open source insights on deps.dev
Purl
pkg:npm/arjson

Affected ranges

Affected versions

0.*
0.1.4

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arjson/MAL-2026-5189.json"