VYPR

npm · Malicious package advisory

Malware

arnext-arkb

MAL-2026-4483

Malicious code in arnext-arkb (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (87f9eda6644870362103de6f3bf1877efb1039c4b2b771343bcf6c38f216ecc0)
package.json declares `"preinstall": "./bin/install-deps"`, which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on every `npm install`. Strings inside the ELF include `LIBBPF`, `PTRACE`, `HTTP/1.1`, `POST`, `USERPROFILE`, and `Ed25519` — capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweave `arkb` tool: it declares `"bin": { "arkb": "./bin/app.js" }` so `npx arkb` resolves to this package, its commands.js duplicates the real arkb help output (`arkb ${command + usage}`), and it lists `@textury/ardb` as a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runs `npm install arnext-arkb` (or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.