MAL-2026-5192
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-contracts/MAL-2026-5192.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5192
- Published
- 2026-06-04T22:27:40Z
- Modified
- 2026-06-04T23:16:41.898668118Z
- Summary
- Malicious code in weavedb-contracts (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "0.45.2" ], "sha256": "146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae", "source": "google-open-source-security", "modified_time": "2026-06-04T22:28:51.769005667Z", "import_time": "2026-06-04T22:42:01.227855Z" } ] }- References
Affected packages
npm / weavedb-contracts
Package
- Name
- weavedb-contracts
- View open source insights on deps.dev
- Purl
- pkg:npm/weavedb-contracts