VYPR

npm · Malicious package advisory

Malware

weavedb-tools

MAL-2026-4726

Malicious code in weavedb-tools (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3)
package.json declares `"preinstall": "./dist/runtime.node"`, which directly executes a ~976KB Linux ELF binary at every `npm install`. The `.node` extension (normally reserved for Node native addons loaded via `require()`) is misused here — the file is invoked as a shell command, not loaded as an addon, a naming choice that evades scanners which treat `.node` files as benign native bindings. The binary is packed/encrypted (large opaque regions, no source, no `binding.gyp`, no build manifest) and its strings include `LIBBPF_0.0`, `PTRACE`, `/proc`, `USERPROFILE`, `https://`, `HTTP/1.1`, `POST`, and `DELETE` — capabilities (eBPF instrumentation, process tracing, outbound HTTP, cross-platform user-home enumeration) wholly unrelated to the package's advertised purpose (a thin CLI helper). Legitimate prior versions of this package shipped only `index.js` and a workspace template with no preinstall hook and no native binary; the addition of an opaque packed ELF executed at install time is consistent with a compromised-publish or typosquat-republish supply-chain attack. Installer impact: arbitrary attacker-controlled native code runs with the user's privileges on every `npm install`, with capabilities to ptrace other processes, instrument the kernel via BPF, enumerate the home directory, and exfiltrate over HTTPS.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Compromised versions (1)

  • 0.45.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.