Embedded Malicious Code Affecting wdb-core package, versions =0.1.2
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-WDBCORE-17146531
- published4 Jun 2026
- disclosed2 Jun 2026
- creditUnknown
Introduced: 2 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the wdb-core package.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristics include:
Credential Theft: It exhaustively scrapes developer machines and Kubernetes pods for over 80 types of secrets, including cloud provider tokens, AI API keys, and crypto wallets.
Self-Replication: It hijacks compromised accounts to forge backdated commits in victims' GitHub repositories. It alters build hooks or GitHub Actions to propagate itself and automatically publishes trojanized packages to the npm registry.
System Evasion: It uses an eBPF kernel rootkit to rewrite system logs and hide its processes from monitoring tools like ps and top.
Remote Control: It establishes a Tor-based command-and-control channel to exfiltrate stolen data, download additional payloads, or execute remote shell commands on the infected machine.