-= Per source details. Do not edit below this line.=-
The package name db-dx-connector inverts the word order of the legitimate dx-db-connector package (whose own GitHub URL github.com/divbloxjs/dx-db-connector is referenced in this package's metadata). It replicates the legitimate package's MySQL-connector API surface and adds an undocumented method queryDBConnect in index.js (lines 226-238) that constitutes a backdoor: a base64-encoded URL stored in a misleadingly named HASH_KEY constant decodes to https://www.jsonkeeper.com/b/ZIAIK (an anonymous, mutable paste-hosting service), the method fetches .data.content from that URL via axios, constructs a synthetic Node module, and calls m._compile(s1, 'error.js') to execute the fetched JavaScript inside the consumer's Node process. Errors are silently swallowed in a try/catch. Whoever controls the paste can ship arbitrary code into any process that calls queryDBConnect(). The combination of name inversion against a real package, base64 URL obfuscation, anonymous attacker-controlled host, runtime fetch+compile of remote JavaScript, and silent error suppression is an unambiguous remote-code-execution backdoor.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d",
"modified_time": "2026-06-09T20:18:26Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005190",
"import_time": "2026-06-09T20:45:50.787271159Z"
},
{
"versions": [
"1.0.1"
],
"sha256": "b0a6cd3a84c38e801823eba4ccf0d4ff2a28f5955309bfb300f7f0f640b1a69b",
"modified_time": "2026-06-16T22:47:12Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006858",
"import_time": "2026-06-16T23:03:44.318776268Z"
},
{
"versions": [
"1.0.2"
],
"sha256": "ee8717a253384a26fdaea14cf33003127a3ab77c8ec5cc28e93f73ba79d3e0f9",
"source": "amazon-inspector",
"modified_time": "2026-06-18T19:08:47Z",
"import_time": "2026-06-18T19:20:02.780433786Z",
"id": "IN-MAL-2026-007023"
},
{
"versions": [
"1.0.3"
],
"sha256": "074f9125a23bf19f9f20f101c2db4888d121e6bd931fcb9933ef0e4f899c3759",
"modified_time": "2026-06-26T18:12:40Z",
"source": "amazon-inspector",
"import_time": "2026-06-26T18:42:49.694195222Z",
"id": "IN-MAL-2026-007650"
}
]
}{
"package_integrity": [
{
"filename": "db-dx-connector-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-xxK01exWEJD1dj5iX/S23WoZ/RT1QH4y+6yDysyyrsXn0tZg3ut2RK5vHZtS1cgnImaHWYiMJXeEUSOZGLBnJg==",
"sha1": "4621c8f4e81dda030638bbdd54dbca0407770454"
}
}
],
"evidence_files": [
{
"sha256": "7e8b618753db019263d7d472f0ca2a1561c428cc7dae515032d9677bb5d4d892",
"path": "index.js",
"tlsh": "d672300637f72527017b7068a6cb5080a439f41b2b35d860be5cc6715fa87b8bda37d8"
},
{
"sha256": "a3b56e8adb7dfc3d892216b7d548536f6c19e2917c23b1757ac95b1c69d4c8d5",
"path": "package.json",
"tlsh": "32016835c9201ca316ab36984c555105b12190ebcf08ed4477cc116ccf6e29b22ae3ae"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]