arjsonnpm

package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under .github/scripts/ (a path designed to look like CI tooling). The binary has no accompanying source, is compressed with UPX (http://upx.sf.net banner present in the packed image) to defeat static inspection, and its embedded strings reveal capabilities far beyond anything a JSON serialization library would require: libbpf/eBPF (LIBBPF_0.0), kernel tracing (PTRACE), netlink socket-diag enumeration (NETLINK_*_DIAG, INODE), HTTP client primitives (HTTP/1.1, POST, DELETE), GitHub API client (2022-11-28), Windows path handling (USERPROFILE), and asymmetric crypto (Ed25519, MLKEM, RSA_PKCS1_). Any developer or CI system running npm install arjson on Linux will execute opaque packed native code with kernel-level introspection and HTTP-exfiltration capability. The package is advertised as a JSON library; no legitimate purpose exists for shipping a packed eBPF/HTTP-capable preinstall binary.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.