npm · Malicious package advisory
Malwaremonade
MAL-2026-4613
Malicious code in monade (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (32631bc0128011d7e526d2665460d2e4562c2d50602e38218e2ad3078635726a)
monade@0.0.7 advertises itself as a JavaScript monad/flow utility library (cjs/index.js exports flow, of, opt, ka, dev), yet ships a 976KB UPX-packed Linux x86-64 ELF at src/compiler/native and wires it directly to the npm preinstall lifecycle hook (package.json: "preinstall": "./src/compiler/native"). On every `npm install` on Linux, this opaque native binary executes with the installer's privileges before any of the package's JavaScript is even evaluated. The binary is deliberately obfuscated via UPX packing (signature "http://upx.sf.net" present in the file) and unpacked strings reveal HTTP client primitives (HTTP/1.1, POST, DELETE, XMLHttp), HTTPS URLs, environment-variable access, eBPF references, and anti-debug indicators — none of which are needed for a pure-JS utility library. The package ships no C/C++/Rust source, no binding.gyp, no build system; the binary is not the product of a compile step but a prebuilt opaque payload. This is the canonical install-time dropper shape: arbitrary attacker-controlled native code executed on the installer's machine on `npm install`, with cover-story naming ("compiler/native") that contradicts the package's advertised purpose.
## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.0.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.