VYPR

npm · Malicious package advisory

Malware

yaml-javascript

MAL-2026-5194

Malicious code in yaml-javascript (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: google-open-source-security (d83c3b506a10b770a8c1f98d280262478cccc65708bb1066a72e0708dccaaf75)
This malicious package is part the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 4.1.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.