{"id":"MAL-2026-4714","summary":"Malicious code in wdb-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500)\npackage.json declares `\"preinstall\": \"./dist/runtime.node\"`, causing npm to spawn the shipped file as an executable on every install on Linux. Despite the `.node` extension (which would normally indicate a Node-API addon loaded via `require()`), the file is a 976KB stripped/packed ELF binary, not a native addon — Node addons are never spawned as processes. The binary contains strings indicating network I/O (HTTP/1.1, POST, https://), host enumeration (USERPROFILE, /lib64, linux-x86), kernel/eBPF and ptrace primitives (LIBBPF_0.0, PTRACE), and modern crypto (RSA/Ed25519/X448/MLKEM), with packed/obfuscated fragments. The package ships no source, no binding.gyp, no node-gyp/prebuild-install/node-pre-gyp scaffolding, no checksum, and no version-pinned publisher-hosted release URL — none of the legitimate native-addon shape. The `.node` filename is a deliberate disguise to make the executable look like a benign addon. Any developer or CI system running `npm install wdb-sdk` on Linux executes this attacker-controlled binary with the installer's privileges.\n","modified":"2026-05-26T06:03:02.783582805Z","published":"2026-05-26T01:00:22Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:20.571480614Z","versions":["0.1.2"],"id":"IN-MAL-2026-004818","modified_time":"2026-05-26T01:00:22Z","sha256":"05323f987b64131618be124040867a2acb216aef96952a6a3dfc11c615501500","source":"amazon-inspector"},{"import_time":"2026-05-26T05:53:22.795939049Z","versions":["0.1.2"],"id":"IN-MAL-2026-004837","modified_time":"2026-05-26T01:01:33Z","sha256":"41b2d5a1d7c854367ea1055af8d4ea71a425bdff2a55888f86caaf7d53e5df16","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/wdb-sdk/v/0.1.2"}],"affected":[{"package":{"name":"wdb-sdk","ecosystem":"npm","purl":"pkg:npm/wdb-sdk"},"versions":["0.1.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"4bb9e1216c5d41591931a3d4c6fb4bab41df5eb8e87e2c913dbb4aa100d784ba","path":"package.json","tlsh":"6ce0e520cc70ee5368d452e1d5ae01c36ea329ab1414fd0933f6351c9e9c74b21bd609"},{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","path":"dist/runtime.node","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-SZ/PETBW353z9MGudwOXdlhAmYA9iJRijDg5ladQMNHp0dl8IUPC7U1+jJapI2z+KVsf96Nuv6EX9NNnBvIoHQ==","sha1":"6b42774d5bec9cc585516763c424ebe5fe2ff39b"},"filename":"wdb-sdk-0.1.2.tgz"}],"domains":["pkg.pr.new"]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wdb-sdk/MAL-2026-4714.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}