{"id":"MAL-2026-4716","summary":"Malicious code in weavedb-client (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0)\npackage.json declares `\"preinstall\": \"./scripts/postbuild\"`. The referenced file is not a script but a 976,568-byte UPX-packed Linux x86-64 ELF binary (ELF magic `\\x7fELF\\x02\\x01\\x01`, `upx.sf.net` marker, dynamic loader reference `/lib64/ld-linux-x86-64.so`). Every `npm install` of this package executes this opaque native binary on the installer's machine, with no source, no hash/signature verification, and no documented purpose. The package's stated purpose is a JavaScript gRPC client for WeaveDB and has no legitimate requirement for a packed native Linux executable at install time. Strings extracted from the binary include `KEYPuTTY-User-Key-File`, `BEGINPRIV`, `RSA_PKCS1_`, `Ed25519` (private-key parsing), `oauthToken`, `dcTok` (OAuth/Discord token field names), `2022-11-28` (GitHub REST API version header), `USERPROFILE`/`HOME`/`PATH` (environment scraping), `PTRACE`/`NETLINK_DIAG` (process/socket inspection), and HTTP client primitives (`HTTP/1.1`, `application/json`, `Phttps://`). This constellation matches a credential-harvester profile targeting SSH/PuTTY private keys, GitHub tokens, OAuth/Discord tokens, and environment variables, with HTTPS exfiltration. An earlier version (0.44.0) of the package had no install scripts; the preinstall + ELF were added without corresponding source-tree changes, consistent with a malicious release.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:41.741477902Z","published":"2026-05-26T01:01:01Z","database_specific":{"malicious-packages-origins":[{"versions":["0.45.3"],"id":"IN-MAL-2026-004827","modified_time":"2026-05-26T01:01:01Z","source":"amazon-inspector","import_time":"2026-05-26T05:53:21.649986328Z","sha256":"469844df44557b10f865edf7d3d000fd90c901c6a42cc5402116247dca1528f0"},{"versions":["0.45.3"],"modified_time":"2026-06-04T22:28:51.769005667Z","import_time":"2026-06-04T22:42:01.227855Z","sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","source":"google-open-source-security"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/weavedb-client/v/0.45.3"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"weavedb-client","ecosystem":"npm","purl":"pkg:npm/weavedb-client"},"versions":["0.45.3"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"e975e948e7d99f8399a762b0565af33b28e61a47","sha512_sri":"sha512-CSrHxHlmG2QidRrqWGxmviG/dz4RgmbLKjf9sW/O1va3NGi3PhcCIxxA0FmyxmHM4CW1TUdPRVwZDaO0dpnu6A=="},"filename":"weavedb-client-0.45.3.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"b1f0e570dda1da6304c452ae54b7924379a81c03098cfc0833d3e30c4f4ea6b31b9a5d","sha256":"c09c111b6eb35d3fc12196177506db613c38fdc4d85a9bd4c2bea9d7b52449f2"},{"path":"scripts/postbuild","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3","sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-client/MAL-2026-4716.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}