{"id":"MAL-2026-4713","summary":"Malicious code in wdb-cli (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee)\npackage.json declares `\"preinstall\": \"./vendor/setup\"`, which on every `npm install` invokes a 976568-byte Linux x86 ELF binary shipped inside the package tarball (sha256 36abd242…6d36). The binary has no accompanying source, no `binding.gyp`, no build step, and is not documented anywhere in the package. Strings inside the ELF reveal capabilities (`LIBBPF_0.0`, `PTRACE`, `NETLINK`, `HTTP/1.1`, `https://`, RSA crypto) that have no plausible relationship to a database CLI's installation. The installer cannot inspect the bytes before they execute, the binary is not hash-verified, and it is not pulled from a publisher-matching, version-pinned release. Any developer or CI environment running `npm install wdb-cli` therefore executes opaque, attacker-controllable native code with the invoking user's privileges, with eBPF/ptrace primitives that enable kernel-level observation and process tampering, and with built-in HTTPS capability for outbound exfiltration or C2. A separate file (`workspace/.wallet.json`) ships a full RSA private key, but that appears to be author self-harm (the author's own dev wallet copied into user-created project scaffolds via an explicit CLI subcommand) and is not the basis for this verdict.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:41.726080953Z","published":"2026-05-26T01:00:19Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:20.34010638Z","id":"IN-MAL-2026-004816","modified_time":"2026-05-26T01:00:19Z","versions":["0.1.1"],"sha256":"3ddd306d024c4dd394d19c1adb610389f239fa619d25fff4f75b857a678da0ee","source":"amazon-inspector"},{"import_time":"2026-06-04T22:42:01.227855Z","modified_time":"2026-06-04T22:28:51.769005667Z","versions":["0.1.1"],"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","source":"google-open-source-security"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/wdb-cli/v/0.1.1"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"wdb-cli","ecosystem":"npm","purl":"pkg:npm/wdb-cli"},"versions":["0.1.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"ccd05b70cd756a7318c467e4947f5a0776530c63140cfc1c23d3511c979c92728bd49d","path":"package.json","sha256":"0997712a59f1f99d6bfa17d0d5d69ab2901444a9e42ec708e1607cbe36325637"},{"tlsh":"48516c88954b70124483a50c350b21c9b55e1e4fcad328de7592ccdae7b2a2d6adfd91","path":"workspace/.wallet.json","sha256":"e644e4f707f9c97943bac2456c3ad335f6d98b57950f764c5744c74b4e2e3e42"}],"package_integrity":[{"hashes":{"sha1":"d9df2cbb8a203d7f35e4985098b7ed096652c26a","sha512_sri":"sha512-/x7YnNRg9oJHreyC0+RopLC9d0mJgpTWh+AeE51Gi7LqGO/7aeQlFpnoSSNsd/JGUVqk0tA6bYVRDafy86/LhQ=="},"filename":"wdb-cli-0.1.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-cli/MAL-2026-4713.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}