{"id":"MAL-2026-4480","summary":"Malicious code in aonote (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b)\npackage.json declares `\"preinstall\": \"./scripts/postbuild\"`, where `scripts/postbuild` is a 976KB UPX-packed Linux x86-64 ELF (sha256 36abd242...) shipped in the tarball with no source, no documentation, and no relation to the package's stated purpose (a JavaScript Arweave/AO note SDK). The binary executes unconditionally on every `npm install` on Linux. Strings inside the binary include kernel/loader paths (`/lib64`, `nux-x86-`), UPX self-tag (`http://upx.sf.net`), eBPF and ptrace symbols (`LIBBPF_0.0`, `_PTRACE`), cryptographic primitives (`RSA_PKCS1_`, `Ed25519`, `MLKEM`), HTTP client strings (`HTTP/1.1`), and host-identity references (`USERPROFILE`, `BY_FAMILY`). Package metadata is hollow (`description: \"\"`, `author: \"\"`), consistent with a hijack of a previously-legitimate name or an attacker-published lure. A JS SDK has no legitimate need to execute an opaque packed native binary at install time; the UPX packing additionally hides the payload from static review. Any developer or CI pipeline running `npm install aonote` on Linux executes attacker-controlled native code with the invoking user's privileges.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:44.530431327Z","published":"2026-05-26T00:59:18Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004808","source":"amazon-inspector","sha256":"df30872a579b6ce2419993ff9bad621f42347097dd43551a26583223e6a98a7b","versions":["0.11.1"],"modified_time":"2026-05-26T00:59:18Z","import_time":"2026-05-26T05:53:19.199580124Z"},{"source":"google-open-source-security","sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","versions":["0.11.1"],"modified_time":"2026-06-04T22:28:51.769005667Z","import_time":"2026-06-04T22:42:01.227855Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/aonote/v/0.11.1"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"aonote","ecosystem":"npm","purl":"pkg:npm/aonote"},"versions":["0.11.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/aonote/MAL-2026-4480.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"2ac42d68784d5ffe8978d3ad89677fb23b9ba0e5","sha512_sri":"sha512-CuSzqJVidyzLjd3OpYwVoNiWHmMJy8UxFd8PO29fqaVPyvhYZZtwhoY/GP5NGYFw9qORc9fznWYCIP9lp+V+Dw=="},"filename":"aonote-0.11.1.tgz"}],"evidence_files":[{"path":"package.json","sha256":"1069d5d3334f699c23673562c4f87012857123f2887c26a16933982805ebff3d","tlsh":"8ff05920cd65edb305c862a0aa7a4583baf94e130445fc4973d2b60c8b8c37b64f921c"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}