-= Per source details. Do not edit below this line.=-
The package advertises itself as a MySQL connector but index.js (around line 236) contains a method queryDBConnect() on the exported DivbloxDatabaseConnector class that base64-decodes a hardcoded URL (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB → https://jsonkeeper.com/b/2P5FA, an anonymous, mutable JSON-paste host), fetches the .data.content field via axios.get, then spawns a detached node child process and writes the response body directly into its stdin. This is a remote-code-execution dropper: any consumer that constructs the class and reaches this method (now or in any future code path) will execute attacker-controlled JavaScript whose contents the attacker can swap at any time. Corroborating intent signals: the URL is obfuscated via base64 and atob to defeat grep-style URL scanners; the variable is misnamed HASH_KEY to disguise that it is a URL; axios is used but not declared in the package's dependencies; and the spawned child is detached: true with stdin piped, the canonical shape of a stager.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-006016",
"modified_time": "2026-06-12T19:07:24Z",
"import_time": "2026-06-12T19:43:58.592275954Z",
"sha256": "f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2",
"source": "amazon-inspector"
},
{
"sha256": "7c95cece679b4ee82a7441f2ed422c648507a603e1b94ddac32255998298b026",
"id": "GHSA-9vfq-xv95-fh28",
"import_time": "2026-07-06T19:53:47.943093829Z",
"modified_time": "2026-07-06T18:59:03Z",
"versions": [
"1.0.0"
],
"source": "ghsa-malware"
}
]
}{
"evidence_files": [
{
"tlsh": "24723f0637f72527017b7068a6cb4080a439f41b2b35d860be5cc6715fa87b8bda37d8",
"sha256": "5d6bd94780fab0980092bfc96c5268960fe7256f7b3fd0e146dfdb09fac26e3a",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "theta-connector-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-tYms9tFW92yj3lEN9PunGQUpUQnC+ahAjmWqbs15huP7jbEoDQbYxaHsEZV7jpt5bUVbQNyvvncvnUGE1OOrWA==",
"sha1": "0f3c8cf4578a72041a3badc8062b9ccfd63d1ce0"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/theta-connector/MAL-2026-5705.json"