{"id":"MAL-2026-4613","summary":"Malicious code in monade (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (32631bc0128011d7e526d2665460d2e4562c2d50602e38218e2ad3078635726a)\nmonade@0.0.7 advertises itself as a JavaScript monad/flow utility library (cjs/index.js exports flow, of, opt, ka, dev), yet ships a 976KB UPX-packed Linux x86-64 ELF at src/compiler/native and wires it directly to the npm preinstall lifecycle hook (package.json: \"preinstall\": \"./src/compiler/native\"). On every `npm install` on Linux, this opaque native binary executes with the installer's privileges before any of the package's JavaScript is even evaluated. The binary is deliberately obfuscated via UPX packing (signature \"http://upx.sf.net\" present in the file) and unpacked strings reveal HTTP client primitives (HTTP/1.1, POST, DELETE, XMLHttp), HTTPS URLs, environment-variable access, eBPF references, and anti-debug indicators — none of which are needed for a pure-JS utility library. The package ships no C/C++/Rust source, no binding.gyp, no build system; the binary is not the product of a compile step but a prebuilt opaque payload. This is the canonical install-time dropper shape: arbitrary attacker-controlled native code executed on the installer's machine on `npm install`, with cover-story naming (\"compiler/native\") that contradicts the package's advertised purpose.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:45.512152466Z","published":"2026-05-26T01:00:21Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"32631bc0128011d7e526d2665460d2e4562c2d50602e38218e2ad3078635726a","import_time":"2026-05-26T05:53:20.451609423Z","versions":["0.0.7"],"id":"IN-MAL-2026-004817","modified_time":"2026-05-26T01:00:21Z"},{"modified_time":"2026-06-04T22:28:51.769005667Z","sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","import_time":"2026-06-04T22:42:01.227855Z","source":"google-open-source-security","versions":["0.0.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/monade/v/0.0.7"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"monade","ecosystem":"npm","purl":"pkg:npm/monade"},"versions":["0.0.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/monade/MAL-2026-4613.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"24a75c4f932a8f5770058a450c7ef5d3c4bc2107","sha512_sri":"sha512-+KtuLObGXFe95Hp+NX4yE07ZI7X9tZUp3kgPYz7MZ6cJ/JgRdU8zEO/AQT6iy0KzBhAVoJot8aOuj1NUEPIl4A=="},"filename":"monade-0.0.7.tgz"}],"evidence_files":[{"sha256":"1773be1290f2fa87143c168e1f644b139de633b3a84bec2c7bbce3995350dec6","path":"package.json","tlsh":"b9e0df20cc64ec5364d49790caea16c32ea729a71454fc0933f7392c9fdcb5b20b961d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}