{"id":"MAL-2026-5463","summary":"Malicious code in db-dx-connector (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d)\ndb-dx-connector is a name-swap typosquat of the legitimate dx-db-connector package (the package's own repository, bugs, and homepage fields all point to github.com/divbloxjs/dx-db-connector). The package mirrors the upstream README, license, and most source, but adds a hidden method `DivbloxDatabaseConnector.queryDBConnect()` in index.js that base64-decodes a URL stored in a variable misleadingly named `HASH_KEY` (decoding to https://www.jsonkeeper.com/b/ZIAIK), HTTP-GETs its `.data.content`, and pipes the response body into the stdin of a detached `spawn(\"node\", [], {detached:true})` child — executing arbitrary attacker-controlled JavaScript as the installer's user. jsonkeeper.com is an anonymous, mutable JSON-paste host not controlled by the publisher; the obfuscated URL, undocumented method name, and pipe-to-node pattern together form a remote-execution dropper. Any caller who reaches `queryDBConnect()` (e.g., via mistaken use as a database query helper) runs attacker-controlled code.\n","modified":"2026-06-09T21:01:33.973391987Z","published":"2026-06-09T20:18:26Z","database_specific":{"malicious-packages-origins":[{"sha256":"6eeeef7d309b24e00c0e45df8736d1d8b8d279207d2bfa766c75890815e5382d","modified_time":"2026-06-09T20:18:26Z","import_time":"2026-06-09T20:45:50.787271159Z","id":"IN-MAL-2026-005190","versions":["1.0.0"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-dx-connector/v/1.0.0"}],"affected":[{"package":{"name":"db-dx-connector","ecosystem":"npm","purl":"pkg:npm/db-dx-connector"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-dx-connector/MAL-2026-5463.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"index.js","sha256":"7e8b618753db019263d7d472f0ca2a1561c428cc7dae515032d9677bb5d4d892","tlsh":"d672300637f72527017b7068a6cb5080a439f41b2b35d860be5cc6715fa87b8bda37d8"},{"path":"package.json","sha256":"a3b56e8adb7dfc3d892216b7d548536f6c19e2917c23b1757ac95b1c69d4c8d5","tlsh":"32016835c9201ca316ab36984c555105b12190ebcf08ed4477cc116ccf6e29b22ae3ae"}],"package_integrity":[{"hashes":{"sha1":"4621c8f4e81dda030638bbdd54dbca0407770454","sha512_sri":"sha512-xxK01exWEJD1dj5iX/S23WoZ/RT1QH4y+6yDysyyrsXn0tZg3ut2RK5vHZtS1cgnImaHWYiMJXeEUSOZGLBnJg=="},"filename":"db-dx-connector-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}