VYPR

npm · Malicious package advisory

Malware

cwao

MAL-2026-4544

Malicious code in cwao (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f48b0fefe9d99bcebeaa878f5bb2ca40df917b40785d6b5b8a31cf6e70a44970)
package.json declares "preinstall": "./vendor/setup", which directly executes a 976,568-byte packed Linux x86 ELF binary shipped in the tarball. The README advertises the package as a pure-JS CosmWasm/Arweave AO SDK and never mentions a native binary. The binary is opaque (mostly non-printable, UPX-style packing) with no shipped source, no binding.gyp, no node-gyp/prebuild-install manifest, no version pin and no hash verification. Embedded string fragments include LIBBPF, PTRACE, /proc, HTTP/1.1, https://, RSA, and USERPROFILE — capabilities (kernel BPF, process tracing, outbound HTTPS, credential paths) entirely unrelated to a JavaScript SDK. Every installer running `npm install cwao` on Linux executes this attacker-controlled native code with the user's privileges before any JavaScript loads. This matches the generic-binary-runner-dropper pattern: undocumented binary, purpose mismatch with the advertised package function, opaque payload, no integrity check, direct lifecycle invocation.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.5.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.