VYPR

npm · Malicious package advisory

Malware

create-arnext-app

MAL-2026-4538

Malicious code in create-arnext-app (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)
The package declares `"preinstall": "./.github/scripts/precheck"` in package.json, which invokes a 976KB stripped Linux x86_64 ELF binary hidden under `.github/scripts/`. The binary auto-executes unconditionally on `npm install`. Strings extracted from the binary reveal capabilities entirely inconsistent with the package's stated purpose (a `create-*-app` template scaffolder that copies a directory and runs `yarn`): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, `https://` endpoints, RSA_PKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in `.github/scripts/`, an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate `create-next-app` family, increasing the chance of confused-install. Installer impact: any developer running `npm install create-arnext-app` executes attacker-controlled native code on their machine with their privileges — equivalent to remote code execution.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.0.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.