weavedb-sdk
Flagship WeaveDB SDK package trojanized in the IronWorm campaign and published from the compromised `asteroiddao` npm account. Carries a `preinstall: ./tools/setup` hook that executes a ~976 KB UPX-packed Rust ELF infostealer with an eBPF rootkit component.
discovered 2026-06-03
Threat types
credential_stealerwormcrypto_drainerdata_exfiltrationpersistencec2_agent
Malicious versions
- 0.45.3
Campaigns
Indicators
- file_pathtools/setupindicates
- file_path.github/scripts/precheckindicates
- file_pathq2.bpf.cindicates
- urltor://api/agentcommunicates-with
- urlhttps://temp.shexfiltrates-to
- urlhttp://127.0.0.1:8738communicates-with
- urlhttps://registry.npmjs.org/-/npm/v1/oidc/token/exchange/packagecommunicates-with
- wallet0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6indicates
- email[email protected]indicates
Techniques
- ttpT1195.002 Compromise Software Supply Chainuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1140 Deobfuscate/Decode Files or Informationuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1552.005 Unsecured Credentials: Cloud Instance Metadata APIuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1078 Valid Accountsuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1090.003 Proxy: Multi-hop Proxyuses
- ttpT1014 Rootkituses
- ttpT1564 Hide Artifactsuses
- ttpT1562.001 Impair Defenses: Disable or Modify Toolsuses
- ttpT1622 Debugger Evasionuses
- ttpT1098 Account Manipulationuses
- ttpT1036 Masqueradinguses
- ttpT1547.013 Boot or Logon Autostart Execution: XDG Autostart Entriesuses
- ttpT1056.001 Input Capture: Keylogginguses
