MAL-2026-5190

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hbsig/MAL-2026-5190.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5190
Published
2026-06-04T22:27:40Z
Modified
2026-06-04T23:16:45.481985942Z
Summary
Malicious code in hbsig (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-06-04T22:42:01.227855Z",
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "0.3.2"
            ]
        }
    ]
}
References

Affected packages

npm / hbsig

Package

Name
hbsig
View open source insights on deps.dev
Purl
pkg:npm/hbsig

Affected ranges

Affected versions

0.*
0.3.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/hbsig/MAL-2026-5190.json"