{"id":"MAL-2026-4483","summary":"Malicious code in arnext-arkb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0)\npackage.json declares `\"preinstall\": \"./bin/install-deps\"`, which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on every `npm install`. Strings inside the ELF include `LIBBPF`, `PTRACE`, `HTTP/1.1`, `POST`, `USERPROFILE`, and `Ed25519` — capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweave `arkb` tool: it declares `\"bin\": { \"arkb\": \"./bin/app.js\" }` so `npx arkb` resolves to this package, its commands.js duplicates the real arkb help output (`arkb ${command + usage}`), and it lists `@textury/ardb` as a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runs `npm install arnext-arkb` (or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:44.568593412Z","published":"2026-05-26T01:01:13Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:22.219304061Z","source":"amazon-inspector","versions":["0.0.2"],"sha256":"87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0","modified_time":"2026-05-26T01:01:13Z","id":"IN-MAL-2026-004832"},{"import_time":"2026-06-04T22:42:01.227855Z","source":"google-open-source-security","versions":["0.0.2"],"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","modified_time":"2026-06-04T22:28:51.769005667Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/arnext-arkb/v/0.0.2"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"arnext-arkb","ecosystem":"npm","purl":"pkg:npm/arnext-arkb"},"versions":["0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/arnext-arkb/MAL-2026-4483.json","indicators":{"evidence_files":[{"tlsh":"11110111cea0dde309c89aea18ba561ab09068578d04fd0c3393a70d8f0d22f3275e5e","sha256":"1326a193fcc0f4f022762475e9112da1506582476623411e15de7e95002c9593","path":"package.json"}],"package_integrity":[{"filename":"arnext-arkb-0.0.2.tgz","hashes":{"sha512_sri":"sha512-SQCFHZundGARMD67wjNlSAOh8Rr1fM5euh0fDDF4NiSrE16w/+k6KTORf9EAZCtbYEeabxf+92vjEG5HfxmMXg==","sha1":"27b563ca40225feb4666da2e73d3055c9ade39da"}}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}