VYPR

npm · Malicious package advisory

Malware

ai3

MAL-2026-4476

Malicious code in ai3 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (83540d952123c5d1199bbec1a72d0c4c49c428f309b9d68df45e307b852000a7)
package.json declares `"preinstall": "./.github/scripts/precheck"`, which points at a 976,568-byte precompiled Linux ELF x86-64 binary shipped inside the tarball with no source, no build script, no binding.gyp, and no documentation. On `npm install` the binary runs automatically with the installer's privileges. Extracted strings show HTTP client code (`HTTP/1.1`, `POST`, `Host:`), full TLS/crypto stacks (`RSA_PKCS1_`, `Ed25519`, `MLKEM`, `X448`), and GitHub API fingerprints — consistent with a network-capable dropper / credential harvester rather than a legitimate native addon. The payload is staged under `.github/scripts/` (a directory normally reserved for non-executing GitHub Actions workflow files) and named `precheck` with no extension, both consistent with deliberate concealment from reviewers. Package metadata is empty (`description: ""`, `author: ""`). Installing this package runs attacker-controlled compiled code on the installer's machine.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.