npm · Malicious package advisory
Malwareweavedb-sdk-base
MAL-2026-4724
Malicious code in weavedb-sdk-base (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (40b4b0c5f79c0370a77c3b559b70389ffee591aa22c76ca15c4077fe95b5078e) package.json declares `"preinstall": "./bin/install-deps"`, pointing at a ~976KB packed Linux x86-64 ELF binary shipped in the tarball (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a pure-JavaScript decentralized-DB SDK, so a native Linux helper has no documented purpose during install. No source code (.c/.cc/.rs/binding.gyp), no node-gyp or prebuild-install machinery, and no hash/signature verification accompanies the binary; its bytes are packed (fragmented, non-contiguous strings characteristic of UPX or a custom packer), preventing review. Extracted strings reveal HTTP/1.1, POST, DELETE, https://, USERPROFILE, LIBBPF (eBPF), PTRACE, and TLS/cipher routines — capabilities entirely inconsistent with a JavaScript SDK and consistent with a credential-harvest / surveillance / RCE payload. On `npm install weavedb-sdk-base` on Linux, this binary executes with the installer's UID before dependency resolution completes, giving the publisher arbitrary native code execution on the installer's machine. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.21.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.