VDB
GCVE-110-OSM-2026-5246
GCVE-110-OSM-2026-5246
Advisory PublishedCVSS 9.6/10
Part of the IronWorm self-propagating npm worm (JFrog Security Research, Jun 2026). The npm account 'asteroiddao' was compromised and used to publish a single malicious version of this package. ONLY version 3.0.1 is malicious; the package and all prior versions are legitimate. The malicious release adds a preinstall hook that harvests credentials (86 environment variables incl. AWS/GCP/Azure/GitHub/npm/AI-provider keys), drops a UPX-packed ELF and eBPF rootkit, injects code to steal Exodus wallet seed phrases, and exfiltrates over a Tor-based C2.
Malicious payload found in: package.json preinstall hook -> package/tools/setup (976KB UPX-packed Linux ELF) + eBPF rootkit (q2.bpf.c). Harvests 86 env vars and credential files (~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.claude/.credentials.json, ~/.codex/auth.json, ~/Cursor/auth.json, ~/.gemini/settings.json). Injects JS into Exodus (Electron) posting wallet password + BIP-39 mnemonic to http://127.0.0.1:8738. Exfiltrates via Tor C2 (/api/agent) with temp.sh fallback. Operator ETH wallet: 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6. Spoofs committer claude@users.noreply.github.com and bots dependabot[bot]/renovate[bot]/github-actions[bot].
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | warp-contracts-plugin-deploy-test | 3.0.1 (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.