{"id":"MAL-2026-4547","summary":"Malicious code in cxpher-linux-arm32 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7)\nThe package's `main` is an ARM ELF binary that, when loaded, mkdtemp's a working directory under `/dev/shm/.cxpher.XXXXXX` or `/tmp/.cxpher.XXXXXX`, writes an unpacked JavaScript file (`a.js` and `/tmp/.cxpher-wrap.%d.js`), locates `node` at `/usr/local/bin/node` or `/usr/bin/node`, and execvp's node against the unpacked file. The bytes that ultimately run are decoded from an opaque high-entropy blob inside the ELF and are not human-auditable from the published tarball — equivalent to `eval(decode(blob))` but in native form. The same binary reads `/proc/self/status` and parses the `TracerPid:` field, the canonical Linux anti-ptrace anti-debug check; legitimate native addons do not need this. Package metadata is placeholder (no author, homepage, repository, or README; description is the generic string \"Native binary for cxpher on linux-arm32\"), and the binary references an alternate environment-variable prefix (`AGPK_AUDIO_FD` alongside `CXPHER_AUDIO_FD`) suggesting it was renamed/repurposed from a different project. No documentation describes what code is unpacked and run on the installer's machine.\n","modified":"2026-05-26T06:02:27.321516126Z","published":"2026-05-24T18:54:03Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.22"],"source":"amazon-inspector","id":"IN-MAL-2026-004526","modified_time":"2026-05-24T18:54:03Z","import_time":"2026-05-26T05:52:46.653948545Z","sha256":"cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cxpher-linux-arm32/v/2.0.22"}],"affected":[{"package":{"name":"cxpher-linux-arm32","ecosystem":"npm","purl":"pkg:npm/cxpher-linux-arm32"},"versions":["2.0.22"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cxpher-linux-arm32/MAL-2026-4547.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"cXpher","tlsh":"25842319eff39a94d9da43b8ece0d854abb2975a8c5427c1b3ccd0301e5a264c473ee5","sha256":"910b1f8164a8b57fb53840b216cb9c8ea6e50382294b06b7dd63f3592775a173"},{"path":"package.json","tlsh":"7bd05e008620b46318d89a600d6a51895a180eefc3803e10635b630d036826646bd6ad","sha256":"5cac10c8e9444eca93b2a23996c5af289cd85c1dab6e13d56cbfa047ec867daf"}],"package_integrity":[{"hashes":{"sha1":"b0bd18b89d24b42edeb0895457776ec905dfef9e","sha512_sri":"sha512-1KM/nXR5MjIZ4ZY3Q9hTl2p+yRXOfLJLGE0UvQ53e0uZZ67jU+W9A7iWZx2I/W7VwCraenasHy9QyKjXsSbi1A=="},"filename":"cxpher-linux-arm32-2.0.22.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}