MAL-2026-6142

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-connector-log/MAL-2026-6142.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6142

Published

2026-06-18T22:29:10Z

Modified

2026-06-18T23:16:47.473303682Z

Summary

Malicious code in db-connector-log (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6828cdaf9f4280f7739fd6f5a838a63ea7bc8f7bb0c94eec52fb881c2701c724)

The package impersonates the legitimate dx-db-connector (the package.json repository field points at git+https://github.com/divbloxjs/dx-db-connector.git) and replicates that connector's API surface, while adding an undocumented method queryDBConnect on the exported class. queryDBConnect base64-decodes a hardcoded URL (stored in a variable misleadingly named HASH_KEY and decoded with atob to evade static URL scanners), HTTP-GETs https://jsonkeeper.com/b/L435A — an anonymous, mutable JSON paste host — extracts the response's.session field, spawns a detached node child process, and writes that attacker-controlled content to its stdin, executing arbitrary JavaScript on the installer's machine. The combination of name impersonation, base64 URL obfuscation, anonymous mutable host, and stdin-piped node execution is a textbook remote-code-execution dropper. While the malicious method requires a caller to invoke it, it sits on the class consumers instantiate as the DB connector and resembles the surrounding DB methods, so normal use of the advertised API can reach it.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6828cdaf9f4280f7739fd6f5a838a63ea7bc8f7bb0c94eec52fb881c2701c724",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T22:29:10Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007038",
            "import_time": "2026-06-18T23:09:38.905783252Z"
        }
    ]
}

References

https://www.npmjs.com/package/db-connector-log/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / db-connector-log

Package

Name: db-connector-log; View open source insights on deps.dev
Purl: pkg:npm/db-connector-log

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-connector-log/MAL-2026-6142.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "fdd4079dacc0597f3de3d409fac53448930461eeb38a9569888f4110a43ceec2",
            "tlsh": "f3723f0637f72527017b7064a6cb4080a539f41b2b35d864be5cc6715fa87b8bda37d8",
            "path": "index.js"
        },
        {
            "sha256": "ab7f3efdaf879c3d0608510084e05f401a431e4a8ea6340f70ac9e2a02b3f8cb",
            "tlsh": "38016835c9201ca326ab36984c555205b12190ebcf08fd4077dc516c8f6e29f22aa3ae",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-c6OKNNuEnh/sdfnkLYSDaEk5InSvnJ/ykyStsYHWEzwwQiYmBgNODAJaxHAVR1U3O/nTK9herUxe17TpfM0blg==",
                "sha1": "9f34821eca98d0586b1762ca073c58ea47f2458f"
            },
            "filename": "db-connector-log-1.0.0.tgz"
        }
    ]
}