{"id":"MAL-2026-4726","summary":"Malicious code in weavedb-tools (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3)\npackage.json declares `\"preinstall\": \"./dist/runtime.node\"`, which directly executes a ~976KB Linux ELF binary at every `npm install`. The `.node` extension (normally reserved for Node native addons loaded via `require()`) is misused here — the file is invoked as a shell command, not loaded as an addon, a naming choice that evades scanners which treat `.node` files as benign native bindings. The binary is packed/encrypted (large opaque regions, no source, no `binding.gyp`, no build manifest) and its strings include `LIBBPF_0.0`, `PTRACE`, `/proc`, `USERPROFILE`, `https://`, `HTTP/1.1`, `POST`, and `DELETE` — capabilities (eBPF instrumentation, process tracing, outbound HTTP, cross-platform user-home enumeration) wholly unrelated to the package's advertised purpose (a thin CLI helper). Legitimate prior versions of this package shipped only `index.js` and a workspace template with no preinstall hook and no native binary; the addition of an opaque packed ELF executed at install time is consistent with a compromised-publish or typosquat-republish supply-chain attack. Installer impact: arbitrary attacker-controlled native code runs with the user's privileges on every `npm install`, with capabilities to ptrace other processes, instrument the kernel via BPF, enumerate the home directory, and exfiltrate over HTTPS.\n\n## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae)\nThis package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.\n","modified":"2026-06-04T23:16:43.165717766Z","published":"2026-05-26T01:00:26Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:53:20.854061438Z","sha256":"e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3","source":"amazon-inspector","versions":["0.45.3"],"modified_time":"2026-05-26T01:00:26Z","id":"IN-MAL-2026-004820"},{"import_time":"2026-06-04T22:42:01.227855Z","source":"google-open-source-security","versions":["0.45.3"],"sha256":"146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae","modified_time":"2026-06-04T22:28:51.769005667Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/weavedb-tools/v/0.45.3"},{"type":"ARTICLE","url":"http://www.ox.security/blog/ironworm-supply-chain-malware-hits-npm/"},{"type":"ARTICLE","url":"https://research.jfrog.com/post/iron-worm-shai-hulud-rustier-cousin/"}],"affected":[{"package":{"name":"weavedb-tools","ecosystem":"npm","purl":"pkg:npm/weavedb-tools"},"versions":["0.45.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"weavedb-tools-0.45.3.tgz","hashes":{"sha1":"7cce4b6e70f03a6ff203b01c4c01b5e50e79aff3","sha512_sri":"sha512-kfg5tfaIjCXlsNe+MGJfFFAXUrY0q7roVuXJo/gECMsfDD6MVnsxma+hON/NjedeMo0Xzw3/oEeKjUVpdhUk/w=="}}],"evidence_files":[{"path":"package.json","sha256":"8b6ea2aef327e92d4563151fcb9d75ea7588a1e0d1ae25c8ef34a8828efec150","tlsh":"bad0c270cc71696304c812ec58bb5a0662930c27000cbd2823c3611c879ce2720be09d"},{"path":"dist/runtime.node","sha256":"36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36","tlsh":"0c2533ab0025062b904d957a58963bd279c17c81afcc3662664dae742fb59c3cf63fc3"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/weavedb-tools/MAL-2026-4726.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}