monadenpm

[email protected] advertises itself as a JavaScript monad/flow utility library (cjs/index.js exports flow, of, opt, ka, dev), yet ships a 976KB UPX-packed Linux x86-64 ELF at src/compiler/native and wires it directly to the npm preinstall lifecycle hook (package.json: "preinstall": "./src/compiler/native"). On every npm install on Linux, this opaque native binary executes with the installer's privileges before any of the package's JavaScript is even evaluated. The binary is deliberately obfuscated via UPX packing (signature "http://upx.sf.net" present in the file) and unpacked strings reveal HTTP client primitives (HTTP/1.1, POST, DELETE, XMLHttp), HTTPS URLs, environment-variable access, eBPF references, and anti-debug indicators — none of which are needed for a pure-JS utility library. The package ships no C/C++/Rust source, no binding.gyp, no build system; the binary is not the product of a compile step but a prebuilt opaque payload. This is the canonical install-time dropper shape: arbitrary attacker-controlled native code executed on the installer's machine on npm install, with cover-story naming ("compiler/native") that contradicts the package's advertised purpose.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.