{"id":"MAL-2026-4690","summary":"Malicious code in test-weavedb-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d)\nPackage name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package functions as a drop-in substitute. package.json declares \"preinstall\": \"./dist/runtime.node\", directly executing a 976KB opaque ELF on every `npm install`. The.node extension is deceptive — legitimate Node native addons are loaded via require()/dlopen, not spawned as standalone executables. Strings recovered from the binary include `HTTP/1.1`, `POST`, `DELETE`, `https://`, `USERPROFILE`, `LIBBPF_0.0` (eBPF), `PTRACE`, `Ed25519`, and `RSA_PKCS1_` — capabilities (HTTP egress, kernel-level eBPF, anti-debug ptrace, home-directory enumeration, cryptographic operations) consistent with an info-stealer / C2 implant and unrelated to the package's advertised purpose. The binary ships without source, build system, or any documentation, and runs unconditionally with the installer's privileges at install time.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:45.762284253Z","published":"2026-05-26T01:01:08Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:21.891510223Z","modified_time":"2026-05-26T01:01:08Z","versions":["1.1.1"],"sha256":"e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d","source":"amazon-inspector","id":"IN-MAL-2026-004829"},{"import_time":"2026-06-04T22:42:01.227855Z","modified_time":"2026-06-04T22:28:51.769005667Z","versions":["1.1.1"],"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","source":"google-open-source-security"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/test-weavedb-sdk/v/1.1.1"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"test-weavedb-sdk","ecosystem":"npm","purl":"pkg:npm/test-weavedb-sdk"},"versions":["1.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/test-weavedb-sdk/MAL-2026-4690.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"b892830c2bd36b2eb85405aa7a2f242267885f6add576f120ab46cb8504480ab","tlsh":"5d1127b0cea6cdd3aad462e520b8528322b1da834848f84d7396138d4f4e56f717a95e","path":"package.json"},{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","path":"dist/runtime.node"}],"package_integrity":[{"filename":"test-weavedb-sdk-1.1.1.tgz","hashes":{"sha1":"f6990792451a6153e343161b96aeb190433535c9","sha512_sri":"sha512-xeP7YiklbQHFyOyEC1GroFNzUORbHhJXuRprYyMBYoCObSZVwonRCSrlLTo7nKUoagA94VsUZ0NaATB9Ga2e0g=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}