{"id":"MAL-2026-4486","summary":"Malicious code in atomic-notes (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81)\npackage.json declares `preinstall:./.github/scripts/precheck`, which executes a 976 KB stripped, UPX-packed Linux x86_64 ELF shipped at `.github/scripts/precheck` on every `npm install`. The binary is opaque (packed + stripped, UPX marker `http://upx.sf.net` present) and contains kernel/syscall surface (LIBBPF, PTRACE, NETLINK, NETLINK_DIAG), a TLS/HTTP client (`HTTP/1.1`, `Ed25519`, `RSA_PKCS1_`, `POST`), and references to `USERPROFILE` and `https://` — capabilities entirely unrelated to the package's advertised purpose as a JavaScript Arweave/AO 'atomic-notes' library. The binary is hidden under `.github/scripts/`, a directory normally reserved for CI workflow YAML, not runtime code. Author and description fields in package.json are empty placeholders. There is no hash verification, no documentation, and no legitimate reason for a JS library to execute an opaque privileged Linux binary at install time.\n","modified":"2026-05-26T06:02:14.605615362Z","published":"2026-05-26T01:00:33Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-26T01:00:33Z","versions":["0.5.3"],"source":"amazon-inspector","id":"IN-MAL-2026-004825","import_time":"2026-05-26T05:53:21.433302985Z","sha256":"c70dcf4fd11ae58bf4e06b896b2f163d54e3c3a26b66d472bab1e0af126f6f81"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/atomic-notes/v/0.5.3"}],"affected":[{"package":{"name":"atomic-notes","ecosystem":"npm","purl":"pkg:npm/atomic-notes"},"versions":["0.5.3"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/atomic-notes/MAL-2026-4486.json","indicators":{"evidence_files":[{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","path":".github/scripts/precheck"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-XalU2OtHiAXtrlv74LY4ChdutuWJ3s2AvvKmggZhs0095+78k/yZwafSmp/qA6XhdkqwVpeEsgayJXb6EOEAcQ==","sha1":"39fe3c6cab7278043eff4cce01c75ba0deb48d0f"},"filename":"atomic-notes-0.5.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}