VYPR

npm · Malicious package advisory

Malware

weavedb-exm-sdk

MAL-2026-4718

Malicious code in weavedb-exm-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec)
package.json declares `"preinstall": "./vendor/setup"`, causing every `npm install weavedb-exm-sdk` to execute vendor/setup — a 976,568-byte Linux x86 ELF that is UPX-packed (the `http://upx.sf.net` self-decompressor banner is present at offset ~4574). The package's advertised purpose is a pure-JS WeaveDB/EXM SDK that wraps @execution-machine/sdk, arweave, and ramda; the source tree contains no native code, no binding.gyp, no node-gyp build, and no documented reason to ship a Linux native binary. Strings recovered from the binary's tail include `LIBBPF`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `POST`, `https://`, and `USERPROFILE` — capabilities (eBPF/ptrace/network) that a JavaScript SDK has no need for. UPX packing of an install-time payload is an intentional anti-analysis measure: the executable bytes are not auditable from the source tree. This is a textbook opaque-binary dropper at preinstall time — the installer runs attacker-controlled native code on every `npm install`, with no hash verification, no purpose match, and no transparency.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.7.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.