MAL-2026-4713

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-cli/MAL-2026-4713.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4713

Published

2026-05-26T01:00:19Z

Modified

2026-06-04T23:16:41.726080953Z

Summary

Malicious code in wdb-cli (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee)

package.json declares "preinstall": "./vendor/setup", which on every npm install invokes a 976568-byte Linux x86 ELF binary shipped inside the package tarball (sha256 36abd242…6d36). The binary has no accompanying source, no binding.gyp, no build step, and is not documented anywhere in the package. Strings inside the ELF reveal capabilities (LIBBPF_0.0, PTRACE, NETLINK, HTTP/1.1, https://, RSA crypto) that have no plausible relationship to a database CLI's installation. The installer cannot inspect the bytes before they execute, the binary is not hash-verified, and it is not pulled from a publisher-matching, version-pinned release. Any developer or CI environment running npm install wdb-cli therefore executes opaque, attacker-controllable native code with the invoking user's privileges, with eBPF/ptrace primitives that enable kernel-level observation and process tampering, and with built-in HTTPS capability for outbound exfiltration or C2. A separate file (workspace/.wallet.json) ships a full RSA private key, but that appears to be author self-harm (the author's own dev wallet copied into user-created project scaffolds via an explicit CLI subcommand) and is not the basis for this verdict.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004816",
            "versions": [
                "0.1.1"
            ],
            "sha256": "3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:00:19Z",
            "import_time": "2026-05-26T05:53:20.34010638Z"
        },
        {
            "versions": [
                "0.1.1"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "import_time": "2026-06-04T22:42:01.227855Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / wdb-cli

Package

Name: wdb-cli; View open source insights on deps.dev
Purl: pkg:npm/wdb-cli

Affected ranges

Affected versions

0.*

0.1.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "0997712a59f1f99d6bfa17d0d5d69ab2901444a9e42ec708e1607cbe36325637",
            "tlsh": "ccd05b70cd756a7318c467e4947f5a0776530c63140cfc1c23d3511c979c92728bd49d"
        },
        {
            "path": "workspace/.wallet.json",
            "sha256": "e644e4f707f9c97943bac2456c3ad335f6d98b57950f764c5744c74b4e2e3e42",
            "tlsh": "48516c88954b70124483a50c350b21c9b55e1e4fcad328de7592ccdae7b2a2d6adfd91"
        }
    ],
    "package_integrity": [
        {
            "filename": "wdb-cli-0.1.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-/x7YnNRg9oJHreyC0+RopLC9d0mJgpTWh+AeE51Gi7LqGO/7aeQlFpnoSSNsd/JGUVqk0tA6bYVRDafy86/LhQ==",
                "sha1": "d9df2cbb8a203d7f35e4985098b7ed096652c26a"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-cli/MAL-2026-4713.json"