malware npm
weavedb-sdk
discovered 2026-06-03Flagship WeaveDB SDK package trojanized in the IronWorm campaign and published from the compromised `asteroiddao` npm account. Carries a `preinstall: ./tools/setup` hook that executes a ~976 KB UPX-packed Rust ELF infostealer with an eBPF rootkit component.
Threat types
credential_stealer worm crypto_drainer data_exfiltration persistence c2_agent
Malicious versions
- 0.45.3
Campaigns
Indicators
- file_path tools/setupindicates
- file_path .github/scripts/precheckindicates
- file_path q2.bpf.cindicates
- url tor://api/agentcommunicates-with
- url https://temp.shexfiltrates-to
- url http://127.0.0.1:8738communicates-with
- url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/packagecommunicates-with
- wallet 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6indicates
- email claude@users.noreply.github.comindicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttp T1528 Steal Application Access Tokenuses
- ttp T1078 Valid Accountsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1090.003 Proxy: Multi-hop Proxyuses
- ttp T1014 Rootkituses
- ttp T1564 Hide Artifactsuses
- ttp T1562.001 Impair Defenses: Disable or Modify Toolsuses
- ttp T1622 Debugger Evasionuses
- ttp T1098 Account Manipulationuses
- ttp T1036 Masqueradinguses
- ttp T1547.013 Boot or Logon Autostart Execution: XDG Autostart Entriesuses
- ttp T1056.001 Input Capture: Keylogginguses
