VYPR

npm · Malicious package advisory

Malware

test-ajs

MAL-2026-4689

Malicious code in test-ajs (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (851b521e3dde5ea11478cd37cc4bf8da2f0a0ca1864d6c39fa27fd02ef0f9308)
test-ajs advertises a ~2KB React/Recoil helper (dist/cjs/index.js, 2169 bytes, exporting Roid/inject glue over react+recoil) but ships a ~976KB Linux ELF at bin/install-deps and runs it unconditionally via package.json's preinstall hook ("preinstall": "./bin/install-deps"). The package declares no native build tooling — no binding.gyp, no C/C++ or Rust source, no node-gyp / prebuild-install / cmake-js — so there is no legitimate reason for a native binary to exist, let alone execute on every npm install. The binary's embedded strings indicate HTTP client behavior (HTTP/1.1, POST, DELETE, https://), modern asymmetric crypto (RSA_PKCS1_, Ed25519, MLKEM, X448), a GitHub API version pin (2022-11-28), and host-environment references (USERPROFILE, PATH) — the fingerprint of an outbound-network agent with credential/key handling, completely unrelated to a 2KB React binding. The cover-story name ("install-deps") is misleading: the JavaScript surface contains no dependency-resolution logic the binary could be assisting. Any developer or CI runner that installs this package executes attacker-controlled native code with the installer's privileges before any review of package contents is possible.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.1.19

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.