weavedb-tools @0.45.3

Summary

package.json declares "preinstall": "./dist/runtime.node" , which directly executes a ~976KB Linux ELF binary at every npm install . The .node extension (normally reserved for Node native addons loaded via require() ) is misused here — the file is invoked as a shell command, not loaded as an addon, a naming choice that evades scanners which treat .node files as benign native bindings. The binary is packed/encrypted (large opaque regions, no source, no binding.gyp , no build manifest) and its strings include LIBBPF_0.0 , PTRACE , /proc , USERPROFILE , https:// , HTTP/1.1 , POST , and DELETE — capabilities (eBPF instrumentation, process tracing, outbound HTTP, cross-platform user-home enumeration) wholly unrelated to the package's advertised purpose (a thin CLI helper). Legitimate prior versions of this package shipped only index.js and a workspace template with no preinstall hook and no native binary; the addition of an opaque packed ELF executed at install time is consistent with a compromised-publish or typosquat-republish supply-chain attack. Installer impact: arbitrary attacker-controlled native code runs with the user's privileges on every npm install , with capabilities to ptrace other processes, instrument the kernel via BPF, enumerate the home directory, and exfiltrate over HTTPS.

Source: amazon-inspector (e2da95bd75489853f6b09a9aef5a5ee03ee6715b41dac446d29f273c750027a3)