npm · Malicious package advisory
Malwarecwao
MAL-2026-4544
Malicious code in cwao (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f48b0fefe9d99bcebeaa878f5bb2ca40df917b40785d6b5b8a31cf6e70a44970) package.json declares "preinstall": "./vendor/setup", which directly executes a 976,568-byte packed Linux x86 ELF binary shipped in the tarball. The README advertises the package as a pure-JS CosmWasm/Arweave AO SDK and never mentions a native binary. The binary is opaque (mostly non-printable, UPX-style packing) with no shipped source, no binding.gyp, no node-gyp/prebuild-install manifest, no version pin and no hash verification. Embedded string fragments include LIBBPF, PTRACE, /proc, HTTP/1.1, https://, RSA, and USERPROFILE — capabilities (kernel BPF, process tracing, outbound HTTPS, credential paths) entirely unrelated to a JavaScript SDK. Every installer running `npm install cwao` on Linux executes this attacker-controlled native code with the user's privileges before any JavaScript loads. This matches the generic-binary-runner-dropper pattern: undocumented binary, purpose mismatch with the advertised package function, opaque payload, no integrity check, direct lifecycle invocation. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.5.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.