MAL-2026-5194
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/yaml-javascript/MAL-2026-5194.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5194
- Published
- 2026-06-04T22:27:40Z
- Modified
- 2026-06-05T01:46:51.591409459Z
- Summary
- Malicious code in yaml-javascript (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75)
This malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "4.1.2" ], "sha256": "d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "import_time": "2026-06-05T00:24:25.065752Z" } ] }- References
Affected packages
npm / yaml-javascript
Package
- Name
- yaml-javascript
- View open source insights on deps.dev
- Purl
- pkg:npm/yaml-javascript