{"id":"MAL-2026-4739","summary":"Malicious code in zkjson (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816)\npackage.json declares `\"preinstall\": \"./.github/scripts/precheck\"`, pointing to a 976 KB Linux ELF executable (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped inside the tarball at `.github/scripts/precheck`. The binary runs automatically with the installer's privileges on every `npm install`. The package self-describes as a pure-JS 'Zero Knowledge Provable JSON' library whose `main` exports only JS classes from `cjs/index.js`; there is no source, build script, documentation, or stated purpose justifying a native executable. Extracted strings indicate HTTP-client primitives (`HTTP/1.1`, `POST`, `GET`, `Host:`, `https://`) and OAuth-related tokens, consistent with a network-active payload. There is no version pinning, no hash verification, and no reproducible build path for the binary — the published bytes are the only artifact installers receive. Shipping an opaque networked ELF as a preinstall hook in a library that advertises no native component is the canonical install-time dropper shape and gives the publisher arbitrary code execution on every installer's machine.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:43.431922316Z","published":"2026-05-26T00:59:30Z","database_specific":{"malicious-packages-origins":[{"sha256":"758a19e42db66cf6ae7a08d462278b30e3a154b56613d2d95f8020de3add3816","import_time":"2026-05-26T05:53:19.583301181Z","id":"IN-MAL-2026-004810","versions":["0.8.5"],"source":"amazon-inspector","modified_time":"2026-05-26T00:59:30Z"},{"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","import_time":"2026-06-04T22:42:01.227855Z","versions":["0.8.5"],"source":"google-open-source-security","modified_time":"2026-06-04T22:28:51.769005667Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/zkjson/v/0.8.5"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"zkjson","ecosystem":"npm","purl":"pkg:npm/zkjson"},"versions":["0.8.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zkjson/MAL-2026-4739.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-EHTv+P/2UWsYZ2z7NvlS9nJ9A0DTPYo/aWNDIGVIhKRKeFMXus83+Bg8b5Z1oyse2RlY402o/3HEJyjdOyJSMQ==","sha1":"9eb45e87eaca9900daff4bb64dc0ca2cd2bd9ab4"},"filename":"zkjson-0.8.5.tgz"}],"evidence_files":[{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","path":".github/scripts/precheck","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}