{"id":"MAL-2026-4538","summary":"Malicious code in create-arnext-app (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)\nThe package declares `\"preinstall\": \"./.github/scripts/precheck\"` in package.json, which invokes a 976KB stripped Linux x86_64 ELF binary hidden under `.github/scripts/`. The binary auto-executes unconditionally on `npm install`. Strings extracted from the binary reveal capabilities entirely inconsistent with the package's stated purpose (a `create-*-app` template scaffolder that copies a directory and runs `yarn`): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, `https://` endpoints, RSA_PKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in `.github/scripts/`, an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate `create-next-app` family, increasing the chance of confused-install. Installer impact: any developer running `npm install create-arnext-app` executes attacker-controlled native code on their machine with their privileges — equivalent to remote code execution.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:44.634840347Z","published":"2026-05-26T01:01:13Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:22.104844755Z","modified_time":"2026-05-26T01:01:13Z","versions":["0.0.10"],"sha256":"67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667","id":"IN-MAL-2026-004831","source":"amazon-inspector"},{"import_time":"2026-06-04T22:42:01.227855Z","modified_time":"2026-06-04T22:28:51.769005667Z","versions":["0.0.10"],"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","source":"google-open-source-security"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/create-arnext-app/v/0.0.10"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"create-arnext-app","ecosystem":"npm","purl":"pkg:npm/create-arnext-app"},"versions":["0.0.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/create-arnext-app/MAL-2026-4538.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","path":".github/scripts/precheck"},{"sha256":"6c8d6d349eed97d54268c21eccbc7a8e87be95a8a729de931742ef14d16da745","tlsh":"69e0c270cd71593304ca26aa647a5a02ba930c230008fc2423c3d21c979c92724be89d","path":"package.json"}],"package_integrity":[{"filename":"create-arnext-app-0.0.10.tgz","hashes":{"sha1":"c9df3b26b0e9e32780c61e586d26bd012ecee272","sha512_sri":"sha512-pNlPBDOVVns+AVU94s6K7l1IbcI5YzvjBvMCVXbPfGRUTr3iGRNMgDD3pDKmFiHggZJhjeWTzxFcURPC5IxN/g=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}