VYPR

npm · Malicious package advisory

Malware

weavedb-sdk-node

MAL-2026-4725

Malicious code in weavedb-sdk-node (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (59e557cd0501bb17925a19c5d3525fdf18f286b21750a44c0164eb7e165f55d9)
package.json declares "preinstall": "./dist/runtime.node", causing npm to execute a ~976 KB packed binary on every install. The file uses the `.node` extension typically reserved for Node.js native addons loaded via require()/process.dlopen, but here it is invoked directly as a shell command — not loaded as an addon. The binary is opaque (mostly non-ASCII, packed/obfuscated) and contains strings indicating HTTP networking (HTTP/1.1, POST, DELETE), environment-variable enumeration (USERPROFILE, PATH, LANG), TLS, and RSA/Ed25519 cryptography. There is no shipped source, no node-gyp/prebuild-install scaffolding, and no documented purpose for executing a binary at install. The combination of (a) lifecycle-hook execution of a shipped opaque binary, (b) misleading `.node` extension on a non-addon executable, and (c) embedded networking + env-scraping + crypto capability strings matches the dropper/credential-stealer fingerprint. On `npm install`, attacker-controlled code runs with the installer's privileges and has the capability to exfiltrate environment variables and credentials.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.45.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.