MAL-2026-4721
Malicious code in weavedb-node-client (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d174728fc7469b023ece1980797185c35abd74c56e253bc1dc1b295a46a1dbd2) package.json declares `"preinstall": "./tools/setup"`, unconditionally executing a 976KB UPX-packed, stripped Linux x86 ELF on every `npm install`. The package advertises itself as a thin pure-JS WeaveDB gRPC client (a single `weavedb.proto` and a ~150-line `index.js`) and has no native build requirement: no `binding.gyp`, no C/C++/Rust source, no documented native dependency, and no README mention of the shipped binary. Strings extracted from `tools/setup` indicate capabilities consistent with a credential-stealer / process-introspection payload: `LIBBPF_0.0` and `~PTRACE` (eBPF / ptrace primitives), `USERPROFILE` (Windows home-directory traversal), `2022-11-28` (GitHub REST API-Version header), `RSA_PKCS1_` and `Ed25519` (key handling), and `HTTP/1.1` with `POST` / `DELETE` verbs. The shape — opaque packed binary, no matching source, advertised purpose mismatch, executed at npm lifecycle, with capability strings for GitHub tokens and home-directory secrets — is the canonical generic-binary-runner-dropper. Any developer or CI system running `npm install weavedb-node-client` on Linux will execute this attacker-controlled native code with their user privileges.
## Source: ghsa-malware (4c4750239ae3ce7389e12d415afe319177f608379dede58dea48be7f8fc44a7b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
## Source: google-open-source-security (146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae) This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for weavedb-node-client (npm). Pin to a known-safe version or switch to an alternative.