MAL-2026-4690
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-weavedb-sdk/MAL-2026-4690.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4690
- Published
- 2026-05-26T01:01:08Z
- Modified
- 2026-06-04T23:16:45.762284253Z
- Summary
- Malicious code in test-weavedb-sdk (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d)
Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package functions as a drop-in substitute. package.json declares "preinstall": "./dist/runtime.node", directly executing a 976KB opaque ELF on every
npm install. The.node extension is deceptive — legitimate Node native addons are loaded via require()/dlopen, not spawned as standalone executables. Strings recovered from the binary includeHTTP/1.1,POST,DELETE,https://,USERPROFILE,LIBBPF_0.0(eBPF),PTRACE,Ed25519, andRSA_PKCS1_— capabilities (HTTP egress, kernel-level eBPF, anti-debug ptrace, home-directory enumeration, cryptographic operations) consistent with an info-stealer / C2 implant and unrelated to the package's advertised purpose. The binary ships without source, build system, or any documentation, and runs unconditionally with the installer's privileges at install time.Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-26T01:01:08Z", "versions": [ "1.1.1" ], "sha256": "e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d", "id": "IN-MAL-2026-004829", "source": "amazon-inspector", "import_time": "2026-05-26T05:53:21.891510223Z" }, { "modified_time": "2026-06-04T22:28:51.769005667Z", "versions": [ "1.1.1" ], "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "import_time": "2026-06-04T22:42:01.227855Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / test-weavedb-sdk
Package
- Name
- test-weavedb-sdk
- View open source insights on deps.dev
- Purl
- pkg:npm/test-weavedb-sdk
Database specific
indicators
{
"evidence_files": [
{
"sha256": "b892830c2bd36b2eb85405aa7a2f242267885f6add576f120ab46cb8504480ab",
"tlsh": "5d1127b0cea6cdd3aad462e520b8528322b1da834848f84d7396138d4f4e56f717a95e",
"path": "package.json"
},
{
"sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
"tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
"path": "dist/runtime.node"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-xeP7YiklbQHFyOyEC1GroFNzUORbHhJXuRprYyMBYoCObSZVwonRCSrlLTo7nKUoagA94VsUZ0NaATB9Ga2e0g==",
"sha1": "f6990792451a6153e343161b96aeb190433535c9"
},
"filename": "test-weavedb-sdk-1.1.1.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-weavedb-sdk/MAL-2026-4690.json"