VDB
KO

MAL-2026-4722

Malicious code in weavedb-offchain (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d267c34e35dca7091a9ab01d22a9c0a4cfde364531b8017f15f4a09785381198) package.json declares `scripts.preinstall: "./.github/scripts/precheck"`, where `precheck` is a 976,568-byte stripped Linux ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) hidden under a CI-config-looking `.github/scripts/` directory. The package advertises itself as a pure-JavaScript Arweave/WeaveDB database wrapper (index.js exports class OffChain); it ships no native source, no binding.gyp, and prior versions had no preinstall hook. The ELF's strings reveal a multi-platform implant capability set with no connection to the package's stated purpose: `LIBBPF_0.0` (eBPF kernel hooking), `PTRACE` (process tracing / anti-debug), `NETLINK` and `_BY_FAMILY` (raw socket / connection enumeration), an HTTP/1.1 client with `POST`/`DELETE` methods, GitHub REST API version header `2022-11-28`, modern TLS/crypto primitives (Ed25519, X448, MLKEM, RSA_PKCS1), and a Windows `USERPROFILE` environment probe. On `npm install`, this binary executes unconditionally with the installer's privileges before any user code runs — the canonical install-time-RCE binary-dropper pattern. Any developer or CI runner that installs this version should be considered compromised.

## Source: ghsa-malware (948c18b91f96653345e01f92b88f692df71ea1425ddd6986ac5f87cb29d75a02) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / weavedb-offchain

No fixed version published yet for weavedb-offchain (npm). Pin to a known-safe version or switch to an alternative.

References