MAL-2026-5394

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sql-access/nodesql/MAL-2026-5394.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5394

Published

2026-06-09T15:58:52Z

Modified

2026-06-09T17:16:28.590868002Z

Summary

Malicious code in @sql-access/nodesql (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f4dbd816086a092ae99c8590ee3fc887ba415dd8e9d409ca4e299da61d763b1c)

@sql-access/nodesql@1.0.7 advertises itself as SQL tooling but ships a copy of the feross/buffer library as its main entry point, with a README copied from an unrelated bare-stream package. The only functional change to the buffer source is a single top-level var ins = require('@sqlite-node/createsql'); at index.js:10. The ins binding is never used; its sole effect is to force @sqlite-node/createsql to execute its module top-level whenever a consumer does require('@sql-access/nodesql'). The package name, the transitive dependency name, the discarded require result, and the unrelated decoy code together form a deliberate loader hop that hides the real payload one dependency away. Installing or requiring this package silently runs whatever @sqlite-node/createsql ships, under the cover of a Buffer polyfill.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T15:58:52Z",
            "versions": [
                "1.0.7"
            ],
            "sha256": "f4dbd816086a092ae99c8590ee3fc887ba415dd8e9d409ca4e299da61d763b1c",
            "id": "IN-MAL-2026-004945",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:43.670350972Z"
        }
    ]
}

References

https://www.npmjs.com/package/@sql-access/nodesql/v/1.0.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @sql-access/nodesql

Package

Name: @sql-access/nodesql; View open source insights on deps.dev
Purl: pkg:npm/%40sql-access%2Fnodesql

Affected ranges

Affected versions

1.*

1.0.7

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "7bc2c525efe4593023441e42b9ea4dcee7f143f0bdc16e1efcea19896d789a0a",
            "tlsh": "b13364026f52511b4377b33d984f950efb769436422ac8c8b49c94902fb4964cabbef9",
            "path": "index.js"
        },
        {
            "sha256": "5dc9a67f91e2a531acff0f56ca24090a35f896cb43c984588a8b644fcc6212ec",
            "tlsh": "c9115b60cd34dd630ec51ad5a9680615b1219d1b9c48fc5db3d2430e4f4e0af21fd76d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-uzKfO+8uCQ3kZ1aAoJ5IY9dSdK5mj7VWQk1moCljLjO5vMs+vdU/dODDbnGWomeMejVe5rGzBdGsj7LBaJU22A==",
                "sha1": "66f899d373a5dbd5184f47fa8fdcd6f9e9718a1e"
            },
            "filename": "nodesql-1.0.7.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sql-access/nodesql/MAL-2026-5394.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]