npm · Malicious package advisory
Malwareroidjs
MAL-2026-4663
Malicious code in roidjs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (46b2c3afc1b9dd20ecad5f3b47c333e8324500e3d0102df362aa7c11a60469a0) package.json declares `"preinstall": "./bin/install-deps"`, which causes `npm install roidjs` to auto-execute `bin/install-deps` — a 976,568-byte Linux x86_64 ELF whose embedded strings include `LIBBPF_0.0`, `PTRACE`, `NETLINK`, `RSA_PKCS1_`, `Ed25519`, `https://`, `HTTP/1.1`, `POST`, and `USERPROFILE`. The package advertises itself as a tiny React+Recoil state helper (the actual JS in dist/cjs/index.js is ~1.7 KB of pure JavaScript) and has no documented native dependency that would justify shipping or running such a binary. The capabilities suggested by the binary's strings (eBPF, ptrace, NETLINK, outbound HTTPS POST, cross-platform user-profile path handling, asymmetric crypto) are inconsistent with a state-management library. The publisher provides no source for the binary, no build manifest, no checksum, and no integrity verification — the installer has no way to know what runs as their user when the lifecycle hook fires. The shape (opaque native dropper invoked from preinstall, purpose mismatch with package description, no provenance) matches the generic-binary-runner-dropper pattern. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.1.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.