{"id":"MAL-2026-5394","summary":"Malicious code in @sql-access/nodesql (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f4dbd816086a092ae99c8590ee3fc887ba415dd8e9d409ca4e299da61d763b1c)\n@sql-access/nodesql@1.0.7 advertises itself as SQL tooling but ships a copy of the feross/buffer library as its main entry point, with a README copied from an unrelated `bare-stream` package. The only functional change to the buffer source is a single top-level `var ins = require('@sqlite-node/createsql');` at index.js:10. The `ins` binding is never used; its sole effect is to force `@sqlite-node/createsql` to execute its module top-level whenever a consumer does `require('@sql-access/nodesql')`. The package name, the transitive dependency name, the discarded require result, and the unrelated decoy code together form a deliberate loader hop that hides the real payload one dependency away. Installing or requiring this package silently runs whatever `@sqlite-node/createsql` ships, under the cover of a Buffer polyfill.\n","modified":"2026-06-09T17:16:28.590868002Z","published":"2026-06-09T15:58:52Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T16:59:43.670350972Z","source":"amazon-inspector","sha256":"f4dbd816086a092ae99c8590ee3fc887ba415dd8e9d409ca4e299da61d763b1c","id":"IN-MAL-2026-004945","modified_time":"2026-06-09T15:58:52Z","versions":["1.0.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sql-access/nodesql/v/1.0.7"}],"affected":[{"package":{"name":"@sql-access/nodesql","ecosystem":"npm","purl":"pkg:npm/%40sql-access%2Fnodesql"},"versions":["1.0.7"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sql-access/nodesql/MAL-2026-5394.json","indicators":{"package_integrity":[{"filename":"nodesql-1.0.7.tgz","hashes":{"sha1":"66f899d373a5dbd5184f47fa8fdcd6f9e9718a1e","sha512_sri":"sha512-uzKfO+8uCQ3kZ1aAoJ5IY9dSdK5mj7VWQk1moCljLjO5vMs+vdU/dODDbnGWomeMejVe5rGzBdGsj7LBaJU22A=="}}],"evidence_files":[{"sha256":"7bc2c525efe4593023441e42b9ea4dcee7f143f0bdc16e1efcea19896d789a0a","path":"index.js","tlsh":"b13364026f52511b4377b33d984f950efb769436422ac8c8b49c94902fb4964cabbef9"},{"sha256":"5dc9a67f91e2a531acff0f56ca24090a35f896cb43c984588a8b644fcc6212ec","path":"package.json","tlsh":"c9115b60cd34dd630ec51ad5a9680615b1219d1b9c48fc5db3d2430e4f4e0af21fd76d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}