MAL-2026-4725

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk-node/MAL-2026-4725.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4725

Published

2026-05-26T00:59:03Z

Modified

2026-06-04T23:16:43.166909899Z

Summary

Malicious code in weavedb-sdk-node (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (59e557cd0501bb17925a19c5d3525fdf18f286b21750a44c0164eb7e165f55d9)

package.json declares "preinstall": "./dist/runtime.node", causing npm to execute a ~976 KB packed binary on every install. The file uses the .node extension typically reserved for Node.js native addons loaded via require()/process.dlopen, but here it is invoked directly as a shell command — not loaded as an addon. The binary is opaque (mostly non-ASCII, packed/obfuscated) and contains strings indicating HTTP networking (HTTP/1.1, POST, DELETE), environment-variable enumeration (USERPROFILE, PATH, LANG), TLS, and RSA/Ed25519 cryptography. There is no shipped source, no node-gyp/prebuild-install scaffolding, and no documented purpose for executing a binary at install. The combination of (a) lifecycle-hook execution of a shipped opaque binary, (b) misleading .node extension on a non-addon executable, and (c) embedded networking + env-scraping + crypto capability strings matches the dropper/credential-stealer fingerprint. On npm install, attacker-controlled code runs with the installer's privileges and has the capability to exfiltrate environment variables and credentials.

Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)

This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:53:18.858488529Z",
            "versions": [
                "0.45.3"
            ],
            "sha256": "59e557cd0501bb17925a19c5d3525fdf18f286b21750a44c0164eb7e165f55d9",
            "id": "IN-MAL-2026-004805",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T00:59:03Z"
        },
        {
            "modified_time": "2026-06-04T22:28:51.769005667Z",
            "versions": [
                "0.45.3"
            ],
            "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae",
            "source": "google-open-source-security",
            "import_time": "2026-06-04T22:42:01.227855Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / weavedb-sdk-node

Package

Name: weavedb-sdk-node; View open source insights on deps.dev
Purl: pkg:npm/weavedb-sdk-node

Affected ranges

Affected versions

0.*

0.45.3

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "e2f628fd69ecd3176b2c2b266b218bf14d56a5317715c86507ddff41a87bf64f",
            "tlsh": "16014971cd64dab319d821e9a87701826122d8578d4cfc8d33c3a31d4b5d9fb21be29d",
            "path": "package.json"
        },
        {
            "sha256": "36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36",
            "tlsh": "0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3",
            "path": "dist/runtime.node"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ZUoRH+PHpzDmwLz9Tpf84XMB3bG5sj8qU3f32OTdHEvvH6kyNV72bT/c/I63Rrb2a1yNCfnxMjE7GwUmSFC0EA==",
                "sha1": "22bda32e43978bd4b4a3700530f3d9f331a1ff29"
            },
            "filename": "weavedb-sdk-node-0.45.3.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-sdk-node/MAL-2026-4725.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]