VYPR

npm · Malicious package advisory

Malware

weavedb-exm-sdk-web

MAL-2026-4719

Malicious code in weavedb-exm-sdk-web (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89)
package.json declares `"preinstall": "./bin/install-deps"`, which runs a 976KB UPX-packed Linux x86 ELF binary on every `npm install`. The package self-describes as a pure-JavaScript 'Web Client for WeaveDB' — its index.js is a ~60-line HTTP wrapper around `https://${functionId}.exm.run` — with no native build step, no shipped C/C++/Rust source, and no purpose-aligned reason to ship or execute a Linux binary at install time. The binary carries the UPX runtime-unpacker signature (`http://upx.sf.net` at offset ~4574) so its actual payload is compressed and not statically reviewable; visible string fragments reference PTRACE (process tracing), libbpf (kernel packet filtering), HTTP client primitives, and GitHub API headers — capabilities entirely unrelated to a WeaveDB JS HTTP client. There is no hash/signature verification, no version pinning, no documentation of the binary's presence in the README, and the file is staged under a generic 'install-deps' cover name. Installer impact: any `npm install weavedb-exm-sdk-web` on a Linux host (developer machines, CI runners) executes attacker-controlled, process-privileged native code with capabilities (ptrace, eBPF) suitable for credential theft, process injection, and host-level surveillance, before any application code is loaded.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.7.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.