weavedb-base @0.45.4
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-4715
Ecosystem
npm
Summary
package.json declares "preinstall": "./vendor/setup", which runs a 976KB packed Linux x86 ELF binary (sha256 36abd242ddaa27f0160c539377a0e92cf781c1695137850acc87e3892b436d36) on every npm install . The binary is packed/compressed — its strings are mostly non-printable garbage with isolated fragments for HTTP/1.1 , https:// , POST , DELETE , USERPROFILE , PTRACE , LIBBPF_0.0 , and TLS/Ed25519/RSA primitives — indicating networking and process-tracing capability hidden behind a packer. The package self-describes as a pure-JavaScript Arweave-related library, which has no need for a privileged native binary, let alone one that auto-executes at install time without any integrity verification, version pinning, or build-from-source path. The combination of (a) install-time unconditional execution, (b) opaque packed payload defeating static inspection, (c) no relationship between the binary's apparent capabilities (kernel tracing, raw networking) and the package's advertised purpose, and (d) absence of any hash check or publisher-matched download URL makes this a textbook install-time RCE dropper. Any developer or CI system that runs npm install weavedb-base on Linux executes this binary with the installer's privileges.
Source: amazon-inspector (886f22636b5e4726978e23b10a4311fb7e65c2b10003da72429348fa617884d1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.