{"id":"MAL-2026-4712","summary":"Malicious code in warp-contracts-plugin-deploy-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444)\nPackage name `warp-contracts-plugin-deploy-test` mimics the legitimate `warp-contracts-plugin-deploy` and copies its public API surface (lib/cjs/index.js re-exports DeployPlugin, CreateContractImpl, SourceImpl, Arweave/Ethereum signers identical to the genuine package). package.json declares `\"preinstall\": \"./bin/install-deps\"` where `bin/install-deps` is a 976,568-byte packed Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a TypeScript Warp Contracts deploy plugin — there is no native source tree, no node-gyp/binding.gyp, no documented purpose for shipping a Linux ELF helper. Readable strings in the binary (LIBBPF, PTRACE, NETLINK_DIAG, HTTP/1.1, https://, USERPROFILE) are inconsistent with any deploy-plugin function and consistent with a host-implant payload. On `npm install`, the binary runs with the installer's privileges, executing attacker-supplied compiled code that the scanner cannot inspect.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:41.679489570Z","published":"2026-05-26T01:00:15Z","database_specific":{"malicious-packages-origins":[{"sha256":"ac3a02c9f004d72f8975e0e93fb0810818b509cf295cf9a567c882afaf9a7444","id":"IN-MAL-2026-004814","source":"amazon-inspector","versions":["3.0.1"],"import_time":"2026-05-26T05:53:20.064460109Z","modified_time":"2026-05-26T01:00:15Z"},{"versions":["3.0.1"],"modified_time":"2026-06-04T22:28:51.769005667Z","sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","import_time":"2026-06-04T22:42:01.227855Z","source":"google-open-source-security"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/warp-contracts-plugin-deploy-test/v/3.0.1"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"warp-contracts-plugin-deploy-test","ecosystem":"npm","purl":"pkg:npm/warp-contracts-plugin-deploy-test"},"versions":["3.0.1"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","sha256":"e64f42c8e66746830d5a675f8836e623a3f1fa6fe88795e47a1e84b44ab2b747","tlsh":"fa31ae20cf598c7322d46635f869c6836a7985a71c59fc0473e2a37c4f0c7af12b52ae"}],"package_integrity":[{"filename":"warp-contracts-plugin-deploy-test-3.0.1.tgz","hashes":{"sha1":"363f840495eb1045c5068359f30f2664828e4a32","sha512_sri":"sha512-+FMOSw41u87GSxq7KMyvBoU7fqABE0PKsN2GJ5s8mnjt1DIWiB2H2JfI5O7XJ2V+PcgCv4chF3575XqamdXMew=="}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/warp-contracts-plugin-deploy-test/MAL-2026-4712.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}