{"id":"MAL-2026-4546","summary":"Malicious code in cwao-units (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf)\npackage.json declares `\"preinstall\": \"./scripts/postbuild\"`, where scripts/postbuild is a 976,568-byte Linux x86-64 ELF binary shipped in the tarball with no corresponding source, no native build configuration (no binding.gyp, no.c/.cc/.rs files, no node-gyp/cmake-js/prebuild-install tooling), and no mention in README. The package self-describes as a pure-JS Arweave/AO unit runner whose declared dependencies (arweave, express, cors, ramda, weavedb) are all pure JavaScript — there is no legitimate cover story for a platform-specific native binary. Strings inside the ELF include LIBBPF_0.0, PTRACE, NETLINK, HTTP/1.1, https://, Ed25519/RSA/MLKEM crypto primitives, and USERPROFILE, indicating network-capable, BPF/ptrace-capable native code. Every `npm install cwao-units` executes this opaque binary as the installer's user before the package is even loaded. The filename `postbuild` is suggestively chosen to mimic a benign build artifact, and the binary is invoked as a preinstall (not postinstall) hook so it fires before any inspection. This matches the canonical opaque-binary dropper pattern: doc-mismatch + thin lifecycle-script wrapper + undocumented native code with networking/tracing primitives.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:44.856983109Z","published":"2026-05-26T01:00:27Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004821","import_time":"2026-05-26T05:53:20.961988129Z","sha256":"94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf","modified_time":"2026-05-26T01:00:27Z","source":"amazon-inspector","versions":["0.8.3"]},{"import_time":"2026-06-04T22:42:01.227855Z","sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","modified_time":"2026-06-04T22:28:51.769005667Z","source":"google-open-source-security","versions":["0.8.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cwao-units/v/0.8.3"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"cwao-units","ecosystem":"npm","purl":"pkg:npm/cwao-units"},"versions":["0.8.3"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"7b01f470ed11cdb308c562fa28354256a56158275c84fc9c33c6eb0c8f9d86f32b9d2d","sha256":"c95a8db88750d63cfd2b2bf537ffb9c302da16b4a80075421468b592959d2677","path":"package.json"},{"tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","path":"scripts/postbuild"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Gsp881+Ji5JZAh6QCfYeQvUkvygcGGmbPx/GoGi7+oisX5UnpuZ830pPvXjSxuMnnvgopmNobr6yJ1Q8XNMdMw==","sha1":"535e79c05de7e50c70adba627bc649e8380ad243"},"filename":"cwao-units-0.8.3.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cwao-units/MAL-2026-4546.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}