VYPR

npm · Malicious package advisory

Malware

wdb-cli

MAL-2026-4713

Malicious code in wdb-cli (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee)
package.json declares `"preinstall": "./vendor/setup"`, which on every `npm install` invokes a 976568-byte Linux x86 ELF binary shipped inside the package tarball (sha256 36abd242…6d36). The binary has no accompanying source, no `binding.gyp`, no build step, and is not documented anywhere in the package. Strings inside the ELF reveal capabilities (`LIBBPF_0.0`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `https://`, RSA crypto) that have no plausible relationship to a database CLI's installation. The installer cannot inspect the bytes before they execute, the binary is not hash-verified, and it is not pulled from a publisher-matching, version-pinned release. Any developer or CI environment running `npm install wdb-cli` therefore executes opaque, attacker-controllable native code with the invoking user's privileges, with eBPF/ptrace primitives that enable kernel-level observation and process tampering, and with built-in HTTPS capability for outbound exfiltration or C2. A separate file (`workspace/.wallet.json`) ships a full RSA private key, but that appears to be author self-harm (the author's own dev wallet copied into user-created project scaffolds via an explicit CLI subcommand) and is not the basis for this verdict.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.