MAL-2026-4714

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-sdk/MAL-2026-4714.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4714
Published
2026-05-26T01:00:22Z
Modified
2026-05-26T06:03:02.783582805Z
Summary
Malicious code in wdb-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500)

package.json declares "preinstall": "./dist/runtime.node", causing npm to spawn the shipped file as an executable on every install on Linux. Despite the .node extension (which would normally indicate a Node-API addon loaded via require()), the file is a 976KB stripped/packed ELF binary, not a native addon — Node addons are never spawned as processes. The binary contains strings indicating network I/O (HTTP/1.1, POST, https://), host enumeration (USERPROFILE, /lib64, linux-x86), kernel/eBPF and ptrace primitives (LIBBPF_0.0, PTRACE), and modern crypto (RSA/Ed25519/X448/MLKEM), with packed/obfuscated fragments. The package ships no source, no binding.gyp, no node-gyp/prebuild-install/node-pre-gyp scaffolding, no checksum, and no version-pinned publisher-hosted release URL — none of the legitimate native-addon shape. The .node filename is a deliberate disguise to make the executable look like a benign addon. Any developer or CI system running npm install wdb-sdk on Linux executes this attacker-controlled binary with the installer's privileges.

Database specific 
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500",
            "modified_time": "2026-05-26T01:00:22Z",
            "versions": [
                "0.1.2"
            ],
            "id": "IN-MAL-2026-004818",
            "import_time": "2026-05-26T05:53:20.571480614Z"
        },
        {
            "sha256": "41b2d5a1d7c854367ea1055af8d4ea71a425bdff2a55888f86caaf7d53e5df16",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:01:33Z",
            "import_time": "2026-05-26T05:53:22.795939049Z",
            "versions": [
                "0.1.2"
            ],
            "id": "IN-MAL-2026-004837"
        }
    ]
}
References
Credits

Affected packages

npm / wdb-sdk

Package

Name
wdb-sdk
View open source insights on deps.dev
Purl
pkg:npm/wdb-sdk

Affected ranges

Affected versions

0.*
0.1.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-sdk/MAL-2026-4714.json"
indicators 
{
    "domains": [
        "pkg.pr.new"
    ],
    "package_integrity": [
        {
            "filename": "wdb-sdk-0.1.2.tgz",
            "hashes": {
                "sha1": "6b42774d5bec9cc585516763c424ebe5fe2ff39b",
                "sha512_sri": "sha512-SZ/PETBW353z9MGudwOXdlhAmYA9iJRijDg5ladQMNHp0dl8IUPC7U1+jJapI2z+KVsf96Nuv6EX9NNnBvIoHQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "6ce0e520cc70ee5368d452e1d5ae01c36ea329ab1414fd0933f6351c9e9c74b21bd609",
            "sha256": "4bb9e1216c5d41591931a3d4c6fb4bab41df5eb8e87e2c913dbb4aa100d784ba"
        },
        {
            "path": "dist/runtime.node",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]