VYPR

npm · Malicious package advisory

Malware

test-weavedb-sdk

MAL-2026-4690

Malicious code in test-weavedb-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d)
Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package functions as a drop-in substitute. package.json declares "preinstall": "./dist/runtime.node", directly executing a 976KB opaque ELF on every `npm install`. The.node extension is deceptive — legitimate Node native addons are loaded via require()/dlopen, not spawned as standalone executables. Strings recovered from the binary include `HTTP/1.1`, `POST`, `DELETE`, `https://`, `USERPROFILE`, `LIBBPF_0.0` (eBPF), `PTRACE`, `Ed25519`, and `RSA_PKCS1_` — capabilities (HTTP egress, kernel-level eBPF, anti-debug ptrace, home-directory enumeration, cryptographic operations) consistent with an info-stealer / C2 implant and unrelated to the package's advertised purpose. The binary ships without source, build system, or any documentation, and runs unconditionally with the installer's privileges at install time.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 1.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.