VYPR

npm · Malicious package advisory

Malware

testnpmnmp

MAL-2026-4691

Malicious code in testnpmnmp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e82942b1fcdaed1a1085ad9590ef93704e276c5c5ca1622884abac014f03980f)
package.json declares `"preinstall": "./scripts/postbuild"`, where `scripts/postbuild` is a 976,568-byte unsigned, unhashed, unversioned Linux ELF executable shipped in the tarball. The package's only JavaScript source (src/index.js) is a trivial stub that exports `() => { console.log("hello") }`, with the bundled output (dist/index.cjs.js) matching. Nothing in the package's stated Arweave/Warp-contracts wrapper purpose justifies a native executable, and the binary's embedded strings (`LIBBPF_0.0`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `USERPROFILE`, `RSA_PKCS1_`, `Ed25519`) indicate credential-handling and network-agent capabilities rather than build tooling. On `npm install`, the binary runs with the installer's privileges before any user inspection; the JS stub is a cover for shipping and executing arbitrary native code. The package name `testnpmnmp` and stub source further indicate a throwaway dropper rather than a real library.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 1.0.21

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.