MAL-2026-6540

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-rake/MAL-2026-6540.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6540

Published

2026-06-26T21:11:20Z

Modified

2026-06-26T21:46:44.949453159Z

Summary

Malicious code in db-rake (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c)

When a consumer imports db-rake and constructs any Model, the package's resetor() method silently runs npm install db-dx-connector (unpinned, no-save: true, loglevel: silent, no-warnings: true) via oubliette's syncApi, then requires the freshly-fetched module and invokes new DxDatabaseConnector({}).queryDBConnect(). The install primitive is concealed by aliasing the import as npm (const { syncApi: npm } = require("oubliette")) so call sites read as innocuous npm().install(...), and all output is suppressed. The fetched package is attacker-mutable (latest tag), unrelated to the README's stated purpose (an in-memory mobx-backed database), and undocumented. A commented-out adjacent block in dist/index.js shows the same technique templated against a different target package (clsx-js via execSync('npm uninstall clsx-js && npm install clsx-js', { stdio: 'ignore', windowsHide: true })), corroborating that the live db-dx-connector path is a deliberately engineered dropper rather than benign auto-recovery. Any code published to db-dx-connector at any future time will be executed in the consumer's process.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-06-26T21:11:24Z",
            "sha256": "7897e7e59fce00f8a8a5be479e4006b02259d746db7284d0d47a240fb4d88614",
            "id": "IN-MAL-2026-007668",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T21:34:02.549826881Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-26T21:11:20Z",
            "sha256": "d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c",
            "id": "IN-MAL-2026-007667",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T21:34:02.509692265Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / db-rake

Package

Name: db-rake; View open source insights on deps.dev
Purl: pkg:npm/db-rake

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-g8AEzvyrW94BalaAOF7efKVKS2ojHHIuAjn4VRmW+xzgx8DdsPuUt+YqzlYoGx/iqu8UbsCl4iI22CmOKHU8PQ==",
                "sha1": "bb4919c3a328872c7c14cfd4cc3583b3a49a9573"
            },
            "filename": "db-rake-1.0.2.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.js",
            "tlsh": "5a52238937fb2930456b30691e0f8007b63a944ba91ded4c7a9c42d4af4847e52f3bb9",
            "sha256": "12941c281e8ea346e10b8c78dfcef0e347f8a2f76fe1a74e066dbf443523191f"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-rake/MAL-2026-6540.json"