MAL-2026-4716

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-client/MAL-2026-4716.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4716

Published

2026-05-26T01:01:01Z

Modified

2026-06-04T23:16:41.741477902Z

Summary

Malicious code in weavedb-client (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0)

package.json declares "preinstall": "./scripts/postbuild". The referenced file is not a script but a 976,568-byte UPX-packed Linux x86-64 ELF binary (ELF magic \x7fELF\x02\x01\x01, upx.sf.net marker, dynamic loader reference /lib64/ld-linux-x86-64.so). Every npm install of this package executes this opaque native binary on the installer's machine, with no source, no hash/signature verification, and no documented purpose. The package's stated purpose is a JavaScript gRPC client for WeaveDB and has no legitimate requirement for a packed native Linux executable at install time. Strings extracted from the binary include KEYPuTTY-User-Key-File, BEGINPRIV, RSA_PKCS1_, Ed25519 (private-key parsing), oauthToken, dcTok (OAuth/Discord token field names), 2022-11-28 (GitHub REST API version header), USERPROFILE/HOME/PATH (environment scraping), PTRACE/NETLINK_DIAG (process/socket inspection), and HTTP client primitives (HTTP/1.1, application/json, Phttps://). This constellation matches a credential-harvester profile targeting SSH/PuTTY private keys, GitHub tokens, OAuth/Discord tokens, and environment variables, with HTTPS exfiltration. An earlier version (0.44.0) of the package had no install scripts; the preinstall + ELF were added without corresponding source-tree changes, consistent with a malicious release.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-26T01:01:01Z",
            "versions": [
                "0.45.3"
            ],
            "sha256": "469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0",
            "id": "IN-MAL-2026-004827",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:21.649986328Z"
        },
        {
            "import_time": "2026-06-04T22:42:01.227855Z",
            "versions": [
                "0.45.3"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "modified_time": "2026-06-04T22:28:51.769005667Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-client

Package

Name: weavedb-client; View open source insights on deps.dev
Purl: pkg:npm/weavedb-client

Affected ranges

Affected versions

0.*

0.45.3

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "c09c111b6eb35d3fc12196177506db613c38fdc4d85a9bd4c2bea9d7b52449f2",
            "tlsh": "b1f0e570dda1da6304c452ae54b7924379a81c03098cfc0833d3e30c4f4ea6b31b9a5d",
            "path": "package.json"
        },
        {
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "path": "scripts/postbuild"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CSrHxHlmG2QidRrqWGxmviG/dz4RgmbLKjf9sW/O1va3NGi3PhcCIxxA0FmyxmHM4CW1TUdPRVwZDaO0dpnu6A==",
                "sha1": "e975e948e7d99f8399a762b0565af33b28e61a47"
            },
            "filename": "weavedb-client-0.45.3.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-client/MAL-2026-4716.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]