zkjsonnpm

package.json declares "preinstall": "./.github/scripts/precheck", pointing to a 976 KB Linux ELF executable (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped inside the tarball at .github/scripts/precheck. The binary runs automatically with the installer's privileges on every npm install. The package self-describes as a pure-JS 'Zero Knowledge Provable JSON' library whose main exports only JS classes from cjs/index.js; there is no source, build script, documentation, or stated purpose justifying a native executable. Extracted strings indicate HTTP-client primitives (HTTP/1.1, POST, GET, Host:, https://) and OAuth-related tokens, consistent with a network-active payload. There is no version pinning, no hash verification, and no reproducible build path for the binary — the published bytes are the only artifact installers receive. Shipping an opaque networked ELF as a preinstall hook in a library that advertises no native component is the canonical install-time dropper shape and gives the publisher arbitrary code execution on every installer's machine.

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.