MAL-2026-4723

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk/MAL-2026-4723.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4723

Published

2026-05-26T00:59:18Z

Modified

2026-05-26T06:03:07.408763929Z

Summary

Malicious code in weavedb-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403)

package.json declares "preinstall": "./tools/setup", where tools/setup is a 976KB stripped Linux x86-64 ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) shipped directly in the tarball. The package self-describes as a JavaScript SDK for an Arweave-backed database; it has no native component, no binding.gyp, no C/C++/Rust source, and no build system that would justify a precompiled binary. The binary is not fetched from a publisher CDN, not version-pinned, and not hash-verified — it simply runs unconditionally with the installer's privileges on every npm install. Strings extracted from the binary include a PuTTY private-key header (BEGINPRIV...KEYPuTTY-), RSA_PKCS1_, Ed25519, cookie, Authorization, HTTP/1.1, POST, XMLH (XMLHttpRequest), USERPROFILE, HOME, /proc, id_, ssh, and a second embedded ELF header at offset ~270 (UPX-packed loader pattern). This fingerprint set — SSH/PuTTY private-key parsing primitives + browser cookie/Authorization-header scraping + HTTP POST exfil scaffolding + home-directory and /proc traversal — is the canonical shape of a credential and SSH-key stealer. Installing this package on Linux compromises stored SSH/PuTTY keys, browser session cookies, and any credentials reachable from the user's home directory and environment.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T00:59:18Z",
            "versions": [
                "0.45.3"
            ],
            "id": "IN-MAL-2026-004809",
            "import_time": "2026-05-26T05:53:19.478332473Z"
        }
    ]
}

References

https://www.npmjs.com/package/weavedb-sdk/v/0.45.3

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-sdk

Package

Name: weavedb-sdk; View open source insights on deps.dev
Purl: pkg:npm/weavedb-sdk

Affected ranges

Affected versions

0.*

0.45.3

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk/MAL-2026-4723.json"

indicators

{
    "package_integrity": [
        {
            "filename": "weavedb-sdk-0.45.3.tgz",
            "hashes": {
                "sha1": "7750bab1a6c48831b5a889e6b799d1684d0a4f2a",
                "sha512_sri": "sha512-FCBSwsE2Bfl03hau2iW5jFB5Yuaw0Bj6mCS7ir6PEBoEY3cY7iGCHzkFsZZwoFAx6J+gBXEbeTyquC/rh4KR7Q=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "aa112971dda4deb319e4229864764152726599074d88f8cc33d3e30d8f4cabb217aa6d",
            "sha256": "e5316c8599e2913d7fc0464b8adf574aaf793f662308dea1e694e7b6e4caa48c"
        },
        {
            "path": "tools/setup",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]