{"id":"MAL-2026-5396","summary":"Malicious code in @sqlite-node/createsql (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6)\nThe package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry (index.js) is a single heavily obfuscated module (obfuscator.io string-array with RC4+base64 decoders, control-flow flattening, 233-entry rotated string array). After deobfuscation, a top-level IIFE runs at require() time: it builds a 4-octet IP address via repeated string concatenation, performs an HTTP GET to that hardcoded remote host, writes the response bytes to a file in an OS directory via fs.writeFileSync, then invokes child_process.exec on the dropped file with `windowsHide: true` to hide the console window. Empty `uncaughtException` / `unhandledRejection` handlers and surrounding try/catch swallow errors to avoid drawing attention. Package metadata further reinforces the lure shape: the `@sqlite-node` scope and `createsql` name imply an official SQLite toolkit, but the repository field points at an unrelated `guilderguzman/array-utl_nodelump` project and the package contains no SQLite implementation. Any project that runs `npm install @sqlite-node/createsql` and then imports the package will have arbitrary attacker-controlled code fetched and executed on the developer/CI machine.\n","modified":"2026-06-09T17:16:27.215060898Z","published":"2026-06-09T15:59:00Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T16:59:43.724564749Z","modified_time":"2026-06-09T15:59:00Z","source":"amazon-inspector","id":"IN-MAL-2026-004946","versions":["1.0.3"],"sha256":"6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@sqlite-node/createsql/v/1.0.3"}],"affected":[{"package":{"name":"@sqlite-node/createsql","ecosystem":"npm","purl":"pkg:npm/%40sqlite-node%2Fcreatesql"},"versions":["1.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@sqlite-node/createsql/MAL-2026-5396.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"6ab26203ebbdf33214d81e6913f03fa1fac43bc1cd12466c02517ad5ed7ce64c","tlsh":"028265c83bc1f0705233f0b77a1fa196e1695c89a34d8848f356f498fd68318d59ab68","path":"index.js"},{"sha256":"4ccbd0448debf1b9c022585600faa7b397b00215942d28f533389d91247e8dab","tlsh":"bcf0467985a608bf0ed427a18929184ab3e2891fcc587c4922e7051c8acf4f322fd21e","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-tF0OynCg1RhUjI9CGgsGkbvQ4l2bIT+TvZTVBjNnuC5h/bf+mM7R2tphlv9maDK3zg1RPpEOwOuYr/l/mf9HiA==","sha1":"2f967b3d2e4e1b21a3d460bc6bf5b3c9f968256f"},"filename":"createsql-1.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}