npm · Malicious package advisory
Malwareweavedb-tools
MAL-2026-4726
Malicious code in weavedb-tools (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3) package.json declares `"preinstall": "./dist/runtime.node"`, which directly executes a ~976KB Linux ELF binary at every `npm install`. The `.node` extension (normally reserved for Node native addons loaded via `require()`) is misused here — the file is invoked as a shell command, not loaded as an addon, a naming choice that evades scanners which treat `.node` files as benign native bindings. The binary is packed/encrypted (large opaque regions, no source, no `binding.gyp`, no build manifest) and its strings include `LIBBPF_0.0`, `PTRACE`, `/proc`, `USERPROFILE`, `https://`, `HTTP/1.1`, `POST`, and `DELETE` — capabilities (eBPF instrumentation, process tracing, outbound HTTP, cross-platform user-home enumeration) wholly unrelated to the package's advertised purpose (a thin CLI helper). Legitimate prior versions of this package shipped only `index.js` and a workspace template with no preinstall hook and no native binary; the addition of an opaque packed ELF executed at install time is consistent with a compromised-publish or typosquat-republish supply-chain attack. Installer impact: arbitrary attacker-controlled native code runs with the user's privileges on every `npm install`, with capabilities to ptrace other processes, instrument the kernel via BPF, enumerate the home directory, and exfiltrate over HTTPS. ## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Compromised versions (1)
- 0.45.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.