OSV ID
MAL-2026-6501
Ecosystem
npm
Summary
wellnpm@2.0.9 ships a 24MB ELF binary named launch which is the XMRig Monero miner (RandomX, cn/upx2, ghostrider algorithm strings, libuv/OpenSSL linkage, hashvault pool references). package.json declares "main": "launch" and "scripts.start": "./launch" , so running npm start on this package immediately launches the miner. A bundled config.json is pre-configured against pool.hashvault.pro:80 with the hardcoded recipient wallet 4AUTfJGTvT8A98PSE99EunfrnUbkWe9vU3FN3qsABQLP5aPKQuvWS5sCaD9WaXFQUqNtDLb9dcxiBgJiWCfjvDXp5ptWDYG , so all hashrate from victim machines is credited to the author. A second scripts.deploy script targets Android Termux: it moves libuv.so into /data/data/com.termux/files/usr/lib , chmod+x's the xmr and edit shell wrappers, and copies them into /data/data/com.termux/files/usr/bin so the miner becomes a persistent, PATH-resolvable command in the user's Termux environment. The wrappers themselves are one-liners that cd node_modules/wellnpm && npm start . README does not mention mining; metadata is placeholder ( author: Your Name <wellenterprise81.gmail.com> , description: A brief description of your package ). This is a cryptojacking dropper masquerading as an npm module.
Source: amazon-inspector (2cce5614817c010bad6d6bd86146713b627ad235b87d9ccd341bd3d996a80119)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.