-= Per source details. Do not edit below this line.=-
index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement var ins = import('@sqlite-frame/createsql'); placed immediately after 'use strict'. On any require('@sqlite-frame/nodesql'), Node dynamically imports the sibling scoped package @sqlite-frame/createsql (declared as a runtime dependency), causing that package's code to execute in the consumer's process without user awareness. The README compounds the deception: it presents the package as bare-stream and instructs npm i @sql-access/nods, while the tarball is actually published as @sqlite-frame/nodesql and ships a Buffer clone rather than a streaming library. Author metadata and the repository guilderguzman/sql-link do not match the advertised identity. This is a lure/wrapper whose only added behavior over the upstream library it copies is to smuggle a sibling package into the dependency graph and auto-load it on import.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T01:12:47Z",
"source": "amazon-inspector",
"import_time": "2026-07-15T01:37:35.088965302Z",
"versions": [
"1.0.3"
],
"id": "IN-MAL-2026-010593",
"sha256": "0b24506932cbd3f2258f2448b83918ba2acee09cd896467780f8b1dc18b9eb42"
},
{
"modified_time": "2026-07-15T01:12:34Z",
"source": "amazon-inspector",
"import_time": "2026-07-15T01:37:34.995157553Z",
"versions": [
"1.0.2"
],
"id": "IN-MAL-2026-010592",
"sha256": "bd05dbbbc74741e39f6e07b882d8c4ee1581fcd1ff714438cd4c764b5c28fbdf"
}
]
}{
"package_integrity": [
{
"filename": "nodesql-1.0.3.tgz",
"hashes": {
"sha1": "4fa8ae447a9d0a16bb9fd67d9746a2f51ba812c7",
"sha512_sri": "sha512-xd6hsMAhG09AWtmzqAB5HJKJAERIxL9M0hQtW6taGAmhXrr9qN5wzj2TmqMOi4UEwmb2evfw8dB5Vj/Wp6FSfQ=="
}
}
],
"evidence_files": [
{
"tlsh": "7b3364026f52511b4377b33d984f950efb769436422ac8c8b49cd4902fb4964cabbef9",
"path": "index.js",
"sha256": "920d5b34bb915dbda5949190250ef158a89986e24e1bd5f718c27bbbf7f3ce4b"
},
{
"tlsh": "f3d0229f2807030e2f433cc110e04e29b695788cce089859b800872389a0230235820c",
"path": "README.md",
"sha256": "3e41caa00cca47d4f2c1009c8e122d20885857da6587bac53b89f26c6d0bb61f"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-frame/nodesql/MAL-2026-10627.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]