MAL-2026-4719

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-exm-sdk-web/MAL-2026-4719.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4719

Published

2026-05-26T01:00:27Z

Modified

2026-06-04T23:16:42.049988610Z

Summary

Malicious code in weavedb-exm-sdk-web (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89)

package.json declares "preinstall": "./bin/install-deps", which runs a 976KB UPX-packed Linux x86 ELF binary on every npm install. The package self-describes as a pure-JavaScript 'Web Client for WeaveDB' — its index.js is a ~60-line HTTP wrapper around https://${functionId}.exm.run — with no native build step, no shipped C/C++/Rust source, and no purpose-aligned reason to ship or execute a Linux binary at install time. The binary carries the UPX runtime-unpacker signature (http://upx.sf.net at offset ~4574) so its actual payload is compressed and not statically reviewable; visible string fragments reference PTRACE (process tracing), libbpf (kernel packet filtering), HTTP client primitives, and GitHub API headers — capabilities entirely unrelated to a WeaveDB JS HTTP client. There is no hash/signature verification, no version pinning, no documentation of the binary's presence in the README, and the file is staged under a generic 'install-deps' cover name. Installer impact: any npm install weavedb-exm-sdk-web on a Linux host (developer machines, CI runners) executes attacker-controlled, process-privileged native code with capabilities (ptrace, eBPF) suitable for credential theft, process injection, and host-level surveillance, before any application code is loaded.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.7.4"
            ],
            "modified_time": "2026-05-26T01:00:27Z",
            "sha256": "3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89",
            "id": "IN-MAL-2026-004822",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:21.060961272Z"
        },
        {
            "versions": [
                "0.7.4"
            ],
            "modified_time": "2026-05-26T01:00:46Z",
            "sha256": "6d915cf3841ae8f9981812b2c80280b09b79c29208227d602ad880e9535f81e6",
            "id": "IN-MAL-2026-004826",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:53:21.534074075Z"
        },
        {
            "versions": [
                "0.7.4"
            ],
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "import_time": "2026-06-04T22:42:01.227855Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-exm-sdk-web

Package

Name: weavedb-exm-sdk-web; View open source insights on deps.dev
Purl: pkg:npm/weavedb-exm-sdk-web

Affected ranges

Affected versions

0.*

0.7.4

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "domains": [
        "codeload.github.com"
    ],
    "package_integrity": [
        {
            "filename": "weavedb-exm-sdk-web-0.7.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-prrAiiMfDwjWgWHjBvFDkhdlgV/wgy+g57Neh84L+wotCyjihG5yc5THkdXtJPLeqNAEXvB4ty0k60tudarc1A==",
                "sha1": "dfd03cd94d25b2d1dda6cdae469445fb432a91b2"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "62017d74cd64da7309c415e469a61145a7664c178d04fc9c33c37a0c4b5ddbb20beaae",
            "sha256": "609b66c7658dd0d016531a9c91a92911f48ba21d053e193f21a38a2de0061ca8"
        },
        {
            "path": "bin/install-deps",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-exm-sdk-web/MAL-2026-4719.json"