create-arnext-app @0.0.10

Summary

The package declares "preinstall": "./.github/scripts/precheck" in package.json, which invokes a 976KB stripped Linux x86_64 ELF binary hidden under .github/scripts/ . The binary auto-executes unconditionally on npm install . Strings extracted from the binary reveal capabilities entirely inconsistent with the package's stated purpose (a create-*-app template scaffolder that copies a directory and runs yarn ): PTRACE (anti-debug/process tracing), LIBBPF (kernel-level packet filtering/evasion), HTTP/1.1 with POST and DELETE methods, https:// endpoints, RSA_PKCS1, Ed25519, and MLKEM (post-quantum key exchange) cryptographic primitives, and USERPROFILE host-identifier enumeration. The combination of kernel evasion + outbound HTTPS channel + KEM crypto + host-identifier fields is the fingerprint of an installer-targeted implant, not a precheck script. The binary is staged in .github/scripts/ , an unusual location for runtime artifacts (typically reserved for CI configuration), which is consistent with concealment from casual review. The package name additionally resembles the legitimate create-next-app family, increasing the chance of confused-install. Installer impact: any developer running npm install create-arnext-app executes attacker-controlled native code on their machine with their privileges — equivalent to remote code execution.

Source: amazon-inspector (67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667)