weavedb-exm-sdk @0.7.4

Summary

package.json declares "preinstall": "./vendor/setup" , causing every npm install weavedb-exm-sdk to execute vendor/setup — a 976,568-byte Linux x86 ELF that is UPX-packed (the http://upx.sf.net self-decompressor banner is present at offset ~4574). The package's advertised purpose is a pure-JS WeaveDB/EXM SDK that wraps @execution-machine/sdk, arweave, and ramda; the source tree contains no native code, no binding.gyp, no node-gyp build, and no documented reason to ship a Linux native binary. Strings recovered from the binary's tail include LIBBPF , PTRACE , NETLINK , HTTP/1.1 , POST , https:// , and USERPROFILE — capabilities (eBPF/ptrace/network) that a JavaScript SDK has no need for. UPX packing of an install-time payload is an intentional anti-analysis measure: the executable bytes are not auditable from the source tree. This is a textbook opaque-binary dropper at preinstall time — the installer runs attacker-controlled native code on every npm install , with no hash verification, no purpose match, and no transparency.

Source: amazon-inspector (78ab05b11a1c784b066c89ffaff7bdf3a3351c611818e1d310cf718a64f20aec)