test-weavedb-sdk @1.1.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4690
Ecosystem
npm
Summary
Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package functions as a drop-in substitute. package.json declares "preinstall": "./dist/runtime.node", directly executing a 976KB opaque ELF on every npm install . The.node extension is deceptive — legitimate Node native addons are loaded via require()/dlopen, not spawned as standalone executables. Strings recovered from the binary include HTTP/1.1 , POST , DELETE , https:// , USERPROFILE , LIBBPF_0.0 (eBPF), PTRACE , Ed25519 , and RSA_PKCS1_ — capabilities (HTTP egress, kernel-level eBPF, anti-debug ptrace, home-directory enumeration, cryptographic operations) consistent with an info-stealer / C2 implant and unrelated to the package's advertised purpose. The binary ships without source, build system, or any documentation, and runs unconditionally with the installer's privileges at install time.
Source: amazon-inspector (e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.