VYPR

npm · Malicious package advisory

Malware

wdb-sdk

MAL-2026-4714

Malicious code in wdb-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500)
package.json declares `"preinstall": "./dist/runtime.node"`, causing npm to spawn the shipped file as an executable on every install on Linux. Despite the `.node` extension (which would normally indicate a Node-API addon loaded via `require()`), the file is a 976KB stripped/packed ELF binary, not a native addon — Node addons are never spawned as processes. The binary contains strings indicating network I/O (HTTP/1.1, POST, https://), host enumeration (USERPROFILE, /lib64, linux-x86), kernel/eBPF and ptrace primitives (LIBBPF_0.0, PTRACE), and modern crypto (RSA/Ed25519/X448/MLKEM), with packed/obfuscated fragments. The package ships no source, no binding.gyp, no node-gyp/prebuild-install/node-pre-gyp scaffolding, no checksum, and no version-pinned publisher-hosted release URL — none of the legitimate native-addon shape. The `.node` filename is a deliberate disguise to make the executable look like a benign addon. Any developer or CI system running `npm install wdb-sdk` on Linux executes this attacker-controlled binary with the installer's privileges.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.1.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.