VYPR

npm · Malicious package advisory

Malware

weavedb-console

MAL-2026-4717

Malicious code in weavedb-console (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9cb1233d729c7aefcbe9024196bb4af52f78854aa5ed7f46afb4fa9cd59918c1)
package.json declares `"preinstall": "./src/compiler/native"`, which auto-executes a 976 KB stripped Linux ELF binary on every `npm install`. The binary is undocumented — no source is shipped, no README mention, and no JavaScript code in the package references it. Extracted strings show system-introspection capabilities (libbpf/eBPF, ptrace, netlink-diag), cryptographic primitives (RSA, Ed25519, MLKEM), an HTTP/1.1 client, GitHub REST API references (`api.github.com`, version header `2022-11-28`), `XMLHttpRequest`, and `USERPROFILE` — a system-introspection plus networking surface entirely inconsistent with the package's stated purpose (a Next.js admin console for WeaveDB, which requires no native compilation step). The binary is stripped and cannot be inspected before npm runs it. Installer harm: arbitrary attacker-controlled native code runs with the installer's privileges on `npm install`, with surface area (eBPF/ptrace) suggesting credential and process-memory access, and outbound HTTP/GitHub-API capability for exfiltration or further payload retrieval.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.2.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.