{"id":"MAL-2026-4719","summary":"Malicious code in weavedb-exm-sdk-web (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89)\npackage.json declares `\"preinstall\": \"./bin/install-deps\"`, which runs a 976KB UPX-packed Linux x86 ELF binary on every `npm install`. The package self-describes as a pure-JavaScript 'Web Client for WeaveDB' — its index.js is a ~60-line HTTP wrapper around `https://${functionId}.exm.run` — with no native build step, no shipped C/C++/Rust source, and no purpose-aligned reason to ship or execute a Linux binary at install time. The binary carries the UPX runtime-unpacker signature (`http://upx.sf.net` at offset ~4574) so its actual payload is compressed and not statically reviewable; visible string fragments reference PTRACE (process tracing), libbpf (kernel packet filtering), HTTP client primitives, and GitHub API headers — capabilities entirely unrelated to a WeaveDB JS HTTP client. There is no hash/signature verification, no version pinning, no documentation of the binary's presence in the README, and the file is staged under a generic 'install-deps' cover name. Installer impact: any `npm install weavedb-exm-sdk-web` on a Linux host (developer machines, CI runners) executes attacker-controlled, process-privileged native code with capabilities (ptrace, eBPF) suitable for credential theft, process injection, and host-level surveillance, before any application code is loaded.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:42.049988610Z","published":"2026-05-26T01:00:27Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004822","sha256":"3992f423f88c69e8c00223cc0ef81f970b8e178f1854beb00ef443586302ad89","import_time":"2026-05-26T05:53:21.060961272Z","modified_time":"2026-05-26T01:00:27Z","source":"amazon-inspector","versions":["0.7.4"]},{"id":"IN-MAL-2026-004826","sha256":"6d915cf3841ae8f9981812b2c80280b09b79c29208227d602ad880e9535f81e6","import_time":"2026-05-26T05:53:21.534074075Z","modified_time":"2026-05-26T01:00:46Z","source":"amazon-inspector","versions":["0.7.4"]},{"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","import_time":"2026-06-04T22:42:01.227855Z","modified_time":"2026-06-04T22:28:51.769005667Z","source":"google-open-source-security","versions":["0.7.4"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/weavedb-exm-sdk-web/v/0.7.4"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"weavedb-exm-sdk-web","ecosystem":"npm","purl":"pkg:npm/weavedb-exm-sdk-web"},"versions":["0.7.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-exm-sdk-web/MAL-2026-4719.json","indicators":{"domains":["codeload.github.com"],"package_integrity":[{"hashes":{"sha1":"dfd03cd94d25b2d1dda6cdae469445fb432a91b2","sha512_sri":"sha512-prrAiiMfDwjWgWHjBvFDkhdlgV/wgy+g57Neh84L+wotCyjihG5yc5THkdXtJPLeqNAEXvB4ty0k60tudarc1A=="},"filename":"weavedb-exm-sdk-web-0.7.4.tgz"}],"evidence_files":[{"sha256":"609b66c7658dd0d016531a9c91a92911f48ba21d053e193f21a38a2de0061ca8","path":"package.json","tlsh":"62017d74cd64da7309c415e469a61145a7664c178d04fc9c33c37a0c4b5ddbb20beaae"},{"sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","path":"bin/install-deps","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}