npm · Malicious package advisory
Malwarefpjson-lang
MAL-2026-4566
Malicious code in fpjson-lang (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318) package.json declares `"preinstall": "./bin/install-deps"`, causing npm to execute a ~954KB packed Linux ELF binary on every install. The package advertises itself as a tiny JSON-based functional language built on Ramda, and the actual library at dist/cjs/index.js is ~1.8KB of pure JavaScript with no native dependency — there is no legitimate reason for a native install helper. Strings extracted from the shipped binary include HTTP/1.1, POST/DELETE verbs, GitHub API version `2022-11-28`, `USERPROFILE`, TLS/crypto primitives (`RSA_PKCS1_`, `Ed25519`), `PTRACE`, and `LIBBPF_0.0` — a feature set (HTTP client + GitHub API + ptrace + crypto) wholly unrelated to a JSON parser. The binary is packed and opaque to static review. The combination of (a) auto-execution at install time via preinstall, (b) shipped opaque native binary, (c) capability set entirely unrelated to the package's declared purpose, and (d) absent source/build manifest matches the install-time dropper pattern: arbitrary attacker-controlled code runs on every installer's machine on `npm install`. ## Source: ghsa-malware (53828346610b7e76dc7f1ef582cf9efb40daaf6cf2848d9bc26b733c4cef3cbb) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.1.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.