MAL-2026-4808

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wm-idp-sdk/MAL-2026-4808.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4808
Published
2026-05-26T09:49:01Z
Modified
2026-05-26T13:47:12.563788173Z
Summary
Malicious code in wm-idp-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd)

package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain (registry.ctzbg.com) unrelated to the SDK's apparent publisher (walkme.com). The URL has no version pin, no commit/tag, and no integrity hash, so every npm install fetches whatever bytes the operator of that host currently serves and installs them as the package's node-fetch. dist/main.js then require('node-fetch') at module top, so the fetched code executes in any process that imports wm-idp-sdk. The host owner can swap the payload at any time without republishing wm-idp-sdk, giving them an open code-execution channel into every installer. The package additionally impersonates Walkme's IDP SDK (description references WM Identity Provider, posts to https://ec.walkme.com/event/log, uses storage key wm-ic-idp-end-user-info) while being published by the personal npm account hwmenv rather than the @walkme/* scope — namespace-abuse intent that compounds the install-time-RCE risk.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "88f2533b11955d8b97d811feb55dc9bd7f1ebe2f8811ae2724cf152b987662db",
            "versions": [
                "1.2.1"
            ],
            "import_time": "2026-05-26T13:32:45.393430056Z",
            "id": "IN-MAL-2026-004887",
            "modified_time": "2026-05-26T09:49:02Z"
        },
        {
            "modified_time": "2026-05-26T09:49:01Z",
            "sha256": "d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd",
            "versions": [
                "1.2.1"
            ],
            "import_time": "2026-05-26T13:32:45.327658936Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-004886"
        }
    ]
}
References
Credits

Affected packages

npm / wm-idp-sdk

Package

Affected ranges

Affected versions

1.*
1.2.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "wm-idp-sdk-1.2.1.tgz",
            "hashes": {
                "sha1": "33343547f90ba2de75c212ea9c19e6f33de484ca",
                "sha512_sri": "sha512-cxP3MzHMeqfm0G2R9KQYM4U4ILVMiWNWtIJKkNUACxHxGzmlYOnF5riiFA2biYs3dWZ6wp6aBA8iREctpLh66w=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "78119239c9244c7325c82296ad2d1253b5128c1b48a4bc0cb7c7162c8f1e1bf14fcaae",
            "sha256": "1f1cf0776d43bb9d7a34539911c67368d7cccdc00455adbc76bcfb1b2ef5eb6a",
            "path": "package.json"
        }
    ],
    "domains": [
        "registry.ctzbg.com"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wm-idp-sdk/MAL-2026-4808.json"