npm · Malicious package advisory
Malwareai3
MAL-2026-4476
Malicious code in ai3 (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (83540d952123c5d1199bbec1a72d0c4c49c428f309b9d68df45e307b852000a7) package.json declares `"preinstall": "./.github/scripts/precheck"`, which points at a 976,568-byte precompiled Linux ELF x86-64 binary shipped inside the tarball with no source, no build script, no binding.gyp, and no documentation. On `npm install` the binary runs automatically with the installer's privileges. Extracted strings show HTTP client code (`HTTP/1.1`, `POST`, `Host:`), full TLS/crypto stacks (`RSA_PKCS1_`, `Ed25519`, `MLKEM`, `X448`), and GitHub API fingerprints — consistent with a network-capable dropper / credential harvester rather than a legitimate native addon. The payload is staged under `.github/scripts/` (a directory normally reserved for non-executing GitHub Actions workflow files) and named `precheck` with no extension, both consistent with deliberate concealment from reviewers. Package metadata is empty (`description: ""`, `author: ""`). Installing this package runs attacker-controlled compiled code on the installer's machine. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.