Supply-chain threat intelligence
Risk score
92
Indexed incident for weavedb-client (npm).
package.json declares "preinstall": "./scripts/postbuild". The referenced file is not a script but a 976,568-byte UPX-packed Linux x86-64 ELF binary (ELF magic \x7fELF\x02\x01\x01, upx.sf.net marker, dynamic loader reference /lib64/ld-linux-x86-64.so). Every npm install of this package executes this opaque native binary on the installer's machine, with no source, no hash/signature verification, and no documented purpose. The package's stated purpose is a JavaScript gRPC client for WeaveDB and has no legitimate requirement for a packed native Linux executable at install time. Strings extracted from the binary include KEYPuTTY-User-Key-File, BEGINPRIV, RSA_PKCS1_, Ed25519 (private-key parsing), oauthToken, dcTok (OAuth/Discord token field names), 2022-11-28 (GitHub REST API version header), USERPROFILE/HOME/PATH (environment scraping), PTRACE/NETLINK_DIAG (process/socket inspection), and HTTP client primitives (HTTP/1.1, application/json, Phttps://). This constellation matches a credential-harvester profile targeting SSH/PuTTY private keys, GitHub tokens, OAuth/Discord tokens, and environment variables, with HTTPS exfiltration. An earlier version (0.44.0) of the package had no install scripts; the preinstall + ELF were added without corresponding source-tree changes, consistent with a malicious release.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a preinstall hook. The payload is a Rust-built infostealer that targets developer environments, scanning for and harvesting credentials related to cloud providers, object storage, databases, source-control, package registries, and AI developer tools. It also targets cryptocurrency wallets, specifically injecting a malicious JavaScript hook into the Exodus desktop wallet to capture passwords and recovery phrases. Furthermore, the malware exhibits worm-like behavior by stealing GitHub and NPM credentials to push malicious updates to the victim's repositories and publish trojanized packages, and it uses an eBPF-based kernel rootkit to hide its processes and network connections on Linux systems.
Affected versions
Indicators
Timeline