MAL-2026-5463

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5463

Published

2026-06-09T20:18:26Z

Modified

2026-06-09T21:01:33.973391987Z

Summary

Malicious code in db-dx-connector (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d)

db-dx-connector is a name-swap typosquat of the legitimate dx-db-connector package (the package's own repository, bugs, and homepage fields all point to github.com/divbloxjs/dx-db-connector). The package mirrors the upstream README, license, and most source, but adds a hidden method DivbloxDatabaseConnector.queryDBConnect() in index.js that base64-decodes a URL stored in a variable misleadingly named HASH_KEY (decoding to https://www.jsonkeeper.com/b/ZIAIK), HTTP-GETs its .data.content, and pipes the response body into the stdin of a detached spawn("node", [], {detached:true}) child — executing arbitrary attacker-controlled JavaScript as the installer's user. jsonkeeper.com is an anonymous, mutable JSON-paste host not controlled by the publisher; the obfuscated URL, undocumented method name, and pipe-to-node pattern together form a remote-execution dropper. Any caller who reaches queryDBConnect() (e.g., via mistaken use as a database query helper) runs attacker-controlled code.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:18:26Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d",
            "id": "IN-MAL-2026-005190",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:50.787271159Z"
        }
    ]
}

References

https://www.npmjs.com/package/db-dx-connector/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / db-dx-connector

Package

Name: db-dx-connector; View open source insights on deps.dev
Purl: pkg:npm/db-dx-connector

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "7e8b618753db019263d7d472f0ca2a1561c428cc7dae515032d9677bb5d4d892",
            "tlsh": "d672300637f72527017b7068a6cb5080a439f41b2b35d860be5cc6715fa87b8bda37d8",
            "path": "index.js"
        },
        {
            "sha256": "a3b56e8adb7dfc3d892216b7d548536f6c19e2917c23b1757ac95b1c69d4c8d5",
            "tlsh": "32016835c9201ca316ab36984c555105b12190ebcf08ed4477cc116ccf6e29b22ae3ae",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-xxK01exWEJD1dj5iX/S23WoZ/RT1QH4y+6yDysyyrsXn0tZg3ut2RK5vHZtS1cgnImaHWYiMJXeEUSOZGLBnJg==",
                "sha1": "4621c8f4e81dda030638bbdd54dbca0407770454"
            },
            "filename": "db-dx-connector-1.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json"