npm · Malicious package advisory
Malwareweavedb-sdk
MAL-2026-4723
Malicious code in weavedb-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403) package.json declares `"preinstall": "./tools/setup"`, where tools/setup is a 976KB stripped Linux x86-64 ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped directly in the tarball. The package self-describes as a JavaScript SDK for an Arweave-backed database; it has no native component, no binding.gyp, no C/C++/Rust source, and no build system that would justify a precompiled binary. The binary is not fetched from a publisher CDN, not version-pinned, and not hash-verified — it simply runs unconditionally with the installer's privileges on every `npm install`. Strings extracted from the binary include a PuTTY private-key header (`BEGINPRIV...KEYPuTTY-`), `RSA_PKCS1_`, `Ed25519`, `cookie`, `Authorization`, `HTTP/1.1`, `POST`, `XMLH` (XMLHttpRequest), `USERPROFILE`, `HOME`, `/proc`, `id_`, `ssh`, and a second embedded ELF header at offset ~270 (UPX-packed loader pattern). This fingerprint set — SSH/PuTTY private-key parsing primitives + browser cookie/Authorization-header scraping + HTTP POST exfil scaffolding + home-directory and /proc traversal — is the canonical shape of a credential and SSH-key stealer. Installing this package on Linux compromises stored SSH/PuTTY keys, browser session cookies, and any credentials reachable from the user's home directory and environment. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.45.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.