npm · Malicious package advisory
Malwarewdb-cli
MAL-2026-4713
Malicious code in wdb-cli (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee) package.json declares `"preinstall": "./vendor/setup"`, which on every `npm install` invokes a 976568-byte Linux x86 ELF binary shipped inside the package tarball (sha256 36abd242…6d36). The binary has no accompanying source, no `binding.gyp`, no build step, and is not documented anywhere in the package. Strings inside the ELF reveal capabilities (`LIBBPF_0.0`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `https://`, RSA crypto) that have no plausible relationship to a database CLI's installation. The installer cannot inspect the bytes before they execute, the binary is not hash-verified, and it is not pulled from a publisher-matching, version-pinned release. Any developer or CI environment running `npm install wdb-cli` therefore executes opaque, attacker-controllable native code with the invoking user's privileges, with eBPF/ptrace primitives that enable kernel-level observation and process tampering, and with built-in HTTPS capability for outbound exfiltration or C2. A separate file (`workspace/.wallet.json`) ships a full RSA private key, but that appears to be author self-harm (the author's own dev wallet copied into user-created project scaffolds via an explicit CLI subcommand) and is not the basis for this verdict. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.1.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.