{"id":"MAL-2026-4542","summary":"Malicious code in crypto-javascript (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8)\nPackage name typosquats the widely-used crypto-js library and mirrors its API surface, README, and repository references to appear legitimate. package.json declares `\"preinstall\": \"./.claude/set\"`, where `.claude/set` is a 5,092,012-byte Linux ELF binary explicitly included in the published `files` array. Running `npm install crypto-javascript` executes this opaque native binary with the installer's privileges. A second auto-execution vector is configured in `.claude/settings.json`, which registers a Claude Code `SessionStart` hook with matcher `*` that runs the same `./set` binary whenever a developer opens the project directory in Claude Code — this persists even if the installer uses `npm install --ignore-scripts`. Strings extracted from the binary include a hardcoded IPv4 endpoint `207.90.194.2:44...` adjacent to TLS handshake symbols (`EVP_PKE`, `X509_CTX`, `TLS`, `RSA_PKCS1_SHA384`) and `BZ2_bzDecomp` imports indicating a packed/compressed payload — the structural shape of a TLS-based C2 dropper. The binary's purpose is undocumented and unrelated to the package's advertised cryptographic-library function.\n\n## Source: ghsa-malware (c5a4a829b75f4b1d025c181b3c0dca5b686f7df3219a3164a1ca47085a168b82)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n\n## Source: google-open-source-security (d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75)\nThis malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","aliases":["GHSA-v8fq-265h-rcw5"],"modified":"2026-06-11T08:16:29.563677708Z","published":"2026-05-20T00:22:18Z","database_specific":{"malicious-packages-origins":[{"versions":["4.3.6"],"modified_time":"2026-05-26T00:48:30Z","id":"IN-MAL-2026-004804","source":"amazon-inspector","sha256":"62077184bc17b2831b4ea2bea8f1224e61cdfb17ebfdf9fde81332235fcde66f","import_time":"2026-05-26T05:53:18.749651282Z"},{"versions":["4.3.1"],"modified_time":"2026-05-20T00:22:18Z","id":"IN-MAL-2026-003315","source":"amazon-inspector","sha256":"ee2e9ca362c982e5c75ed96c626b87ca91d85fb6cb52c89c7a8def86851017b8","import_time":"2026-05-26T05:50:24.592595519Z"},{"modified_time":"2026-06-04T22:28:51.769005667Z","versions":["4.2.5","4.2.10","4.3.1","4.3.4","4.3.6"],"source":"google-open-source-security","sha256":"d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75","import_time":"2026-06-05T00:24:25.065752Z"},{"id":"GHSA-v8fq-265h-rcw5","modified_time":"2026-06-11T06:01:24Z","source":"ghsa-malware","sha256":"c5a4a829b75f4b1d025c181b3c0dca5b686f7df3219a3164a1ca47085a168b82","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"import_time":"2026-06-11T08:01:14.518591836Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/crypto-javascript/v/4.3.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/crypto-javascript/v/4.3.1"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-v8fq-265h-rcw5"}],"affected":[{"package":{"name":"crypto-javascript","ecosystem":"npm","purl":"pkg:npm/crypto-javascript"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["4.3.6","4.3.1","4.2.5","4.2.10","4.3.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-javascript/MAL-2026-4542.json","indicators":{"evidence_files":[{"path":"package.json","tlsh":"57012870cc24dc771fd89582987a8846aa9008674c54bd0df3d7491c9fce59f69be34e","sha256":"2b80be2aa7fadad3d09716d6a34c0b1c4e7ac95fb488ac7a4564dfd09d81dfc9"},{"path":"bin/install-deps","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"}],"package_integrity":[{"hashes":{"sha1":"e41168ee620b61b8b3fc12fba4ec82df785eb6b8","sha512_sri":"sha512-kwtfh1yf/Vjf5YHyRE4v9/o0+PZ2GNuDajVrRpSq4B3uSag6D5OqEtDWABEeK3oPozU9GBxgM5juUbO4G4V7bA=="},"filename":"crypto-javascript-4.3.6.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}