MAL-2026-4724

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk-base/MAL-2026-4724.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4724

Published

2026-05-26T01:01:28Z

Modified

2026-06-04T23:16:43.171723880Z

Summary

Malicious code in weavedb-sdk-base (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (40b4b0c5f79c0370a77c3b559b70389ffee591aa22c76ca15c4077fe95b5078e)

package.json declares "preinstall": "./bin/install-deps", pointing at a ~976KB packed Linux x86-64 ELF binary shipped in the tarball (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36). The package self-describes as a pure-JavaScript decentralized-DB SDK, so a native Linux helper has no documented purpose during install. No source code (.c/.cc/.rs/binding.gyp), no node-gyp or prebuild-install machinery, and no hash/signature verification accompanies the binary; its bytes are packed (fragmented, non-contiguous strings characteristic of UPX or a custom packer), preventing review. Extracted strings reveal HTTP/1.1, POST, DELETE, https://, USERPROFILE, LIBBPF (eBPF), PTRACE, and TLS/cipher routines — capabilities entirely inconsistent with a JavaScript SDK and consistent with a credential-harvest / surveillance / RCE payload. On npm install weavedb-sdk-base on Linux, this binary executes with the installer's UID before dependency resolution completes, giving the publisher arbitrary native code execution on the installer's machine.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004835",
            "versions": [
                "0.21.1"
            ],
            "sha256": "40b4b0c5f79c0370a77c3b559b70389ffee591aa22c76ca15c4077fe95b5078e",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T01:01:28Z",
            "import_time": "2026-05-26T05:53:22.555392488Z"
        },
        {
            "import_time": "2026-06-04T22:42:01.227855Z",
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "0.21.1"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-sdk-base

Package

Name: weavedb-sdk-base; View open source insights on deps.dev
Purl: pkg:npm/weavedb-sdk-base

Affected ranges

Affected versions

0.*

0.21.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk-base/MAL-2026-4724.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "d2c81ff767773fd344e432f72b1235b9a904b918be9d4e77c94e516424cf3246",
            "tlsh": "5d213870de68cf7319e422a82426515661219a178d48f88d33d2b74d0f8daef317aa5e"
        },
        {
            "path": "bin/install-deps",
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"
        }
    ],
    "package_integrity": [
        {
            "filename": "weavedb-sdk-base-0.21.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-7Ooi9SvZjEjJu1F+5vfGveLacMLHuAzZgjc/Q3t5VTHkbSv+NGKTGiND0smCXbybxHnG/SnVL8rbpB3tIrB9hA==",
                "sha1": "766facdb5f40c65471274232b9d756049f025ba9"
            }
        }
    ]
}