MAL-2026-4717

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-console/MAL-2026-4717.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4717

Published

2026-05-26T01:01:33Z

Modified

2026-05-26T06:03:04.709791875Z

Summary

Malicious code in weavedb-console (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9cb1233d729c7aefcbe9024196bb4af52f78854aa5ed7f46afb4fa9cd59918c1)

package.json declares "preinstall": "./src/compiler/native", which auto-executes a 976 KB stripped Linux ELF binary on every npm install. The binary is undocumented — no source is shipped, no README mention, and no JavaScript code in the package references it. Extracted strings show system-introspection capabilities (libbpf/eBPF, ptrace, netlink-diag), cryptographic primitives (RSA, Ed25519, MLKEM), an HTTP/1.1 client, GitHub REST API references (api.github.com, version header 2022-11-28), XMLHttpRequest, and USERPROFILE — a system-introspection plus networking surface entirely inconsistent with the package's stated purpose (a Next.js admin console for WeaveDB, which requires no native compilation step). The binary is stripped and cannot be inspected before npm runs it. Installer harm: arbitrary attacker-controlled native code runs with the installer's privileges on npm install, with surface area (eBPF/ptrace) suggesting credential and process-memory access, and outbound HTTP/GitHub-API capability for exfiltration or further payload retrieval.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "71a1d59955effddbe219eb31f60faec73be48629058bd1a4ea26a3e583c79845",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:02:02Z",
            "versions": [
                "0.2.1"
            ],
            "id": "IN-MAL-2026-004839",
            "import_time": "2026-05-26T05:53:23.008183105Z"
        },
        {
            "source": "amazon-inspector",
            "sha256": "9cb1233d729c7aefcbe9024196bb4af52f78854aa5ed7f46afb4fa9cd59918c1",
            "modified_time": "2026-05-26T01:01:33Z",
            "versions": [
                "0.2.1"
            ],
            "id": "IN-MAL-2026-004836",
            "import_time": "2026-05-26T05:53:22.674170667Z"
        }
    ]
}

References

https://www.npmjs.com/package/weavedb-console/v/0.2.1

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-console

Package

Name: weavedb-console; View open source insights on deps.dev
Purl: pkg:npm/weavedb-console

Affected ranges

Affected versions

0.*

0.2.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-console/MAL-2026-4717.json"

indicators

{
    "domains": [
        "codeload.github.com"
    ],
    "package_integrity": [
        {
            "filename": "weavedb-console-0.2.1.tgz",
            "hashes": {
                "sha1": "d7208c2353e066d1d2dbd77b375fabfcc463c213",
                "sha512_sri": "sha512-+MqOoirMkuY5Jr37/EoOxjyLuRU0hpw9izmtlNsjnkUt7XxtVYeuWNjkjPfuKtj0bI+HtQLjovP1sSeCH15VmQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "1c117620ce228db319ca026c78ba124394395c071d55f80c33928b4c4f4e52f62b9a9e",
            "sha256": "5d4f9311f73a69f9a41d07c318e37184360d426fe6634f4ab8157692d797095a"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]