MAL-2026-5396

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-node/createsql/MAL-2026-5396.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5396

Published

2026-06-09T15:59:00Z

Modified

2026-06-09T17:16:27.215060898Z

Summary

Malicious code in @sqlite-node/createsql (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6)

The package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry (index.js) is a single heavily obfuscated module (obfuscator.io string-array with RC4+base64 decoders, control-flow flattening, 233-entry rotated string array). After deobfuscation, a top-level IIFE runs at require() time: it builds a 4-octet IP address via repeated string concatenation, performs an HTTP GET to that hardcoded remote host, writes the response bytes to a file in an OS directory via fs.writeFileSync, then invokes child_process.exec on the dropped file with windowsHide: true to hide the console window. Empty uncaughtException / unhandledRejection handlers and surrounding try/catch swallow errors to avoid drawing attention. Package metadata further reinforces the lure shape: the @sqlite-node scope and createsql name imply an official SQLite toolkit, but the repository field points at an unrelated guilderguzman/array-utl_nodelump project and the package contains no SQLite implementation. Any project that runs npm install @sqlite-node/createsql and then imports the package will have arbitrary attacker-controlled code fetched and executed on the developer/CI machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T15:59:00Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6",
            "id": "IN-MAL-2026-004946",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T16:59:43.724564749Z"
        }
    ]
}

References

https://www.npmjs.com/package/@sqlite-node/createsql/v/1.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @sqlite-node/createsql

Package

Name: @sqlite-node/createsql; View open source insights on deps.dev
Purl: pkg:npm/%40sqlite-node%2Fcreatesql

Affected ranges

Affected versions

1.*

1.0.3

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "6ab26203ebbdf33214d81e6913f03fa1fac43bc1cd12466c02517ad5ed7ce64c",
            "tlsh": "028265c83bc1f0705233f0b77a1fa196e1695c89a34d8848f356f498fd68318d59ab68",
            "path": "index.js"
        },
        {
            "sha256": "4ccbd0448debf1b9c022585600faa7b397b00215942d28f533389d91247e8dab",
            "tlsh": "bcf0467985a608bf0ed427a18929184ab3e2891fcc587c4922e7051c8acf4f322fd21e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "createsql-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-tF0OynCg1RhUjI9CGgsGkbvQ4l2bIT+TvZTVBjNnuC5h/bf+mM7R2tphlv9maDK3zg1RPpEOwOuYr/l/mf9HiA==",
                "sha1": "2f967b3d2e4e1b21a3d460bc6bf5b3c9f968256f"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-node/createsql/MAL-2026-5396.json"