MAL-2026-4718

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-exm-sdk/MAL-2026-4718.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4718

Published

2026-05-26T01:01:18Z

Modified

2026-05-26T06:03:04.710061131Z

Summary

Malicious code in weavedb-exm-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec)

package.json declares "preinstall": "./vendor/setup", causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 ELF that is UPX-packed (the http://upx.sf.net self-decompressor banner is present at offset ~4574). The package's advertised purpose is a pure-JS WeaveDB/EXM SDK that wraps @execution-machine/sdk, arweave, and ramda; the source tree contains no native code, no binding.gyp, no node-gyp build, and no documented reason to ship a Linux native binary. Strings recovered from the binary's tail include LIBBPF, PTRACE, NETLINK, HTTP/1.1, POST, https://, and USERPROFILE — capabilities (eBPF/ptrace/network) that a JavaScript SDK has no need for. UPX packing of an install-time payload is an intentional anti-analysis measure: the executable bytes are not auditable from the source tree. This is a textbook opaque-binary dropper at preinstall time — the installer runs attacker-controlled native code on every npm install, with no hash verification, no purpose match, and no transparency.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "3f1ea3d51113930c1f13cfdc5cd5996836d6daf9557c1c87e2e1435bfaec1b52",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:01:28Z",
            "import_time": "2026-05-26T05:53:22.439435442Z",
            "versions": [
                "0.7.4"
            ],
            "id": "IN-MAL-2026-004834"
        },
        {
            "sha256": "78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:01:18Z",
            "versions": [
                "0.7.4"
            ],
            "id": "IN-MAL-2026-004833",
            "import_time": "2026-05-26T05:53:22.327076465Z"
        }
    ]
}

References

https://www.npmjs.com/package/weavedb-exm-sdk/v/0.7.4

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-exm-sdk

Package

Name: weavedb-exm-sdk; View open source insights on deps.dev
Purl: pkg:npm/weavedb-exm-sdk

Affected ranges

Affected versions

0.*

0.7.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-exm-sdk/MAL-2026-4718.json"

indicators

{
    "domains": [
        "codeload.github.com"
    ],
    "package_integrity": [
        {
            "filename": "weavedb-exm-sdk-0.7.4.tgz",
            "hashes": {
                "sha1": "aae92666ae06382901607ae2fd8bbe60917131ee",
                "sha512_sri": "sha512-mUMUcB97qmOCXBwVZAX3AFYs8L+T6aAIUpNU9xDiA8FzibnPxc06nGmWEnH7LdZjr4J2CCDpDxLlbslPIkfMJg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "b2f08170cd60d93305c415e058760146f2628c4b4d08fc9d33c3a20c4b5dd7b24be6ad",
            "sha256": "c29737235ec9a53e6d09297fd934efaf634887100eadb2ce8d2494c371ea6253"
        },
        {
            "path": "vendor/setup",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]