arnext-arkbnpm

package.json declares "preinstall": "./bin/install-deps", which points at a 976,568-byte Linux x86-64 ELF executable shipped in the tarball with no source, no build system, and no documentation. The binary is run as the installing user on every npm install. Strings inside the ELF include LIBBPF, PTRACE, HTTP/1.1, POST, USERPROFILE, and Ed25519 — capabilities (eBPF, process tracing, HTTP POST, cross-platform home-directory paths, key handling) that are unrelated to an Arweave deploy CLI. The package is also a clear impersonation of the legitimate Arweave arkb tool: it declares "bin": { "arkb": "./bin/app.js" } so npx arkb resolves to this package, its commands.js duplicates the real arkb help output (arkb ${command + usage}), and it lists @textury/ardb as a dependency to ride on the textury/Arweave brand. The combination of a typosquat lure plus an opaque preinstall native binary with no matching source is the canonical install-time-RCE / dropper pattern: any developer who runs npm install arnext-arkb (or installs it transitively) executes attacker-controlled native code under their own account before any other code runs.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.