-= Per source details. Do not edit below this line.=-
package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain (registry.ctzbg.com) unrelated to the SDK's apparent publisher (walkme.com). The URL has no version pin, no commit/tag, and no integrity hash, so every npm install fetches whatever bytes the operator of that host currently serves and installs them as the package's node-fetch. dist/main.js then require('node-fetch') at module top, so the fetched code executes in any process that imports wm-idp-sdk. The host owner can swap the payload at any time without republishing wm-idp-sdk, giving them an open code-execution channel into every installer. The package additionally impersonates Walkme's IDP SDK (description references WM Identity Provider, posts to https://ec.walkme.com/event/log, uses storage key wm-ic-idp-end-user-info) while being published by the personal npm account hwmenv rather than the @walkme/* scope — namespace-abuse intent that compounds the install-time-RCE risk.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "88f2533b11955d8b97d811feb55dc9bd7f1ebe2f8811ae2724cf152b987662db",
"versions": [
"1.2.1"
],
"import_time": "2026-05-26T13:32:45.393430056Z",
"id": "IN-MAL-2026-004887",
"modified_time": "2026-05-26T09:49:02Z"
},
{
"modified_time": "2026-05-26T09:49:01Z",
"sha256": "d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd",
"versions": [
"1.2.1"
],
"import_time": "2026-05-26T13:32:45.327658936Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004886"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "wm-idp-sdk-1.2.1.tgz",
"hashes": {
"sha1": "33343547f90ba2de75c212ea9c19e6f33de484ca",
"sha512_sri": "sha512-cxP3MzHMeqfm0G2R9KQYM4U4ILVMiWNWtIJKkNUACxHxGzmlYOnF5riiFA2biYs3dWZ6wp6aBA8iREctpLh66w=="
}
}
],
"evidence_files": [
{
"tlsh": "78119239c9244c7325c82296ad2d1253b5128c1b48a4bc0cb7c7162c8f1e1bf14fcaae",
"sha256": "1f1cf0776d43bb9d7a34539911c67368d7cccdc00455adbc76bcfb1b2ef5eb6a",
"path": "package.json"
}
],
"domains": [
"registry.ctzbg.com"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wm-idp-sdk/MAL-2026-4808.json"