OSV ID
MAL-2026-5189
Ecosystem
npm
Summary
package.json declares "preinstall": "./.github/scripts/precheck" , which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under .github/scripts/ (a path designed to look like CI tooling). The binary has no accompanying source, is compressed with UPX ( http://upx.sf.net banner present in the packed image) to defeat static inspection, and its embedded strings reveal capabilities far beyond anything a JSON serialization library would require: libbpf/eBPF ( LIBBPF_0.0 ), kernel tracing ( PTRACE ), netlink socket-diag enumeration ( NETLINK_*_DIAG , INODE ), HTTP client primitives ( HTTP/1.1 , POST , DELETE ), GitHub API client ( 2022-11-28 ), Windows path handling ( USERPROFILE ), and asymmetric crypto (Ed25519, MLKEM, RSA_PKCS1_). Any developer or CI system running npm install arjson on Linux will execute opaque packed native code with kernel-level introspection and HTTP-exfiltration capability. The package is advertised as a JSON library; no legitimate purpose exists for shipping a packed eBPF/HTTP-capable preinstall binary.
Source: amazon-inspector (00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.