aonotenpm

package.json declares "preinstall": "./scripts/postbuild", where scripts/postbuild is a 976KB UPX-packed Linux x86-64 ELF (sha256 36abd242...) shipped in the tarball with no source, no documentation, and no relation to the package's stated purpose (a JavaScript Arweave/AO note SDK). The binary executes unconditionally on every npm install on Linux. Strings inside the binary include kernel/loader paths (/lib64, nux-x86-), UPX self-tag (http://upx.sf.net), eBPF and ptrace symbols (LIBBPF_0.0, _PTRACE), cryptographic primitives (RSA_PKCS1_, Ed25519, MLKEM), HTTP client strings (HTTP/1.1), and host-identity references (USERPROFILE, BY_FAMILY). Package metadata is hollow (description: "", author: ""), consistent with a hijack of a previously-legitimate name or an attacker-published lure. A JS SDK has no legitimate need to execute an opaque packed native binary at install time; the UPX packing additionally hides the payload from static review. Any developer or CI pipeline running npm install aonote on Linux executes attacker-controlled native code with the invoking user's privileges.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.