cwao-toolsnpm

package.json declares "preinstall": "./scripts/postbuild", and scripts/postbuild is a 976,568-byte stripped Linux x86 ELF (sha256 36abd242…). The package advertises itself as a Node.js CosmWasm/AO contract scaffolding tool — a pure JavaScript use case with no documented native component. Nothing in README or index.js references this binary or any native build step, and no source for it is shipped. Strings extracted from the binary include LIBBPF, PTRACE, NETLINK_DIAG, RSA, Ed25519, HTTP/1.1, TLS, and USERPROFILE — kernel-introspection (eBPF/ptrace), cryptographic, and HTTP/TLS capability that has no relationship to scaffolding code generation. The script is named postbuild despite being wired to the preinstall lifecycle hook, a cover-story naming choice consistent with evading casual review. Running npm install cwao-tools immediately executes this opaque native binary with the installer's privileges, giving the publisher arbitrary code execution on the installer's machine on every install.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.