MAL-2026-10627

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-frame/nodesql/MAL-2026-10627.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10627
Published
2026-07-15T01:12:34Z
Modified
2026-07-15T05:19:41.434602160Z
Summary
Malicious code in @sqlite-frame/nodesql (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0b24506932cbd3f2258f2448b83918ba2acee09cd896467780f8b1dc18b9eb42)

index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement var ins = import('@sqlite-frame/createsql'); placed immediately after 'use strict'. On any require('@sqlite-frame/nodesql'), Node dynamically imports the sibling scoped package @sqlite-frame/createsql (declared as a runtime dependency), causing that package's code to execute in the consumer's process without user awareness. The README compounds the deception: it presents the package as bare-stream and instructs npm i @sql-access/nods, while the tarball is actually published as @sqlite-frame/nodesql and ships a Buffer clone rather than a streaming library. Author metadata and the repository guilderguzman/sql-link do not match the advertised identity. This is a lure/wrapper whose only added behavior over the upstream library it copies is to smuggle a sibling package into the dependency graph and auto-load it on import.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T01:12:47Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T01:37:35.088965302Z",
            "versions": [
                "1.0.3"
            ],
            "id": "IN-MAL-2026-010593",
            "sha256": "0b24506932cbd3f2258f2448b83918ba2acee09cd896467780f8b1dc18b9eb42"
        },
        {
            "modified_time": "2026-07-15T01:12:34Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T01:37:34.995157553Z",
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-010592",
            "sha256": "bd05dbbbc74741e39f6e07b882d8c4ee1581fcd1ff714438cd4c764b5c28fbdf"
        }
    ]
}
References
Credits

Affected packages

npm / @sqlite-frame/nodesql

Package

Name
@sqlite-frame/nodesql
View open source insights on deps.dev
Purl
pkg:npm/%40sqlite-frame/nodesql

Affected ranges

Affected versions

1.*
1.0.2
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "nodesql-1.0.3.tgz",
            "hashes": {
                "sha1": "4fa8ae447a9d0a16bb9fd67d9746a2f51ba812c7",
                "sha512_sri": "sha512-xd6hsMAhG09AWtmzqAB5HJKJAERIxL9M0hQtW6taGAmhXrr9qN5wzj2TmqMOi4UEwmb2evfw8dB5Vj/Wp6FSfQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "7b3364026f52511b4377b33d984f950efb769436422ac8c8b49cd4902fb4964cabbef9",
            "path": "index.js",
            "sha256": "920d5b34bb915dbda5949190250ef158a89986e24e1bd5f718c27bbbf7f3ce4b"
        },
        {
            "tlsh": "f3d0229f2807030e2f433cc110e04e29b695788cce089859b800872389a0230235820c",
            "path": "README.md",
            "sha256": "3e41caa00cca47d4f2c1009c8e122d20885857da6587bac53b89f26c6d0bb61f"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-frame/nodesql/MAL-2026-10627.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]