{"id":"MAL-2026-5464","summary":"Malicious code in db-xorma (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)\ndb-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require('db-dx-connector') and, if missing, shells out via execSync to `npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent` with stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer's package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on 'child_process' ^1.0.2 — a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package's own install lifecycle. A commented-out variant of the same dropper template targeting 'clsx-js' remains in dist/index.js, indicating the pattern is iterated across package names.\n","modified":"2026-06-09T22:46:29.035862975Z","published":"2026-06-09T20:18:54Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:50.898140803Z","source":"amazon-inspector","versions":["1.0.2"],"id":"IN-MAL-2026-005191","sha256":"1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2","modified_time":"2026-06-09T20:18:54Z"},{"import_time":"2026-06-09T22:36:25.449546771Z","source":"amazon-inspector","versions":["1.0.1"],"id":"IN-MAL-2026-005248","sha256":"7a0a6d972b6cf17adb4b5bc9ed777b09afb307c801e56be6d81bf98216001c44","modified_time":"2026-06-09T21:39:41Z"},{"import_time":"2026-06-09T22:36:25.597822089Z","source":"amazon-inspector","id":"IN-MAL-2026-005251","versions":["1.0.0"],"sha256":"b3ae2dc2f44f2924a368585ef601221e4a597fbd372c9eb24e13db5edb23834c","modified_time":"2026-06-09T21:43:32Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-xorma/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-xorma/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-xorma/v/1.0.0"}],"affected":[{"package":{"name":"db-xorma","ecosystem":"npm","purl":"pkg:npm/db-xorma"},"versions":["1.0.2","1.0.1","1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"db-xorma-1.0.2.tgz","hashes":{"sha512_sri":"sha512-4UX2qrmBEnL/E7W+5tIqiLlKEXiqb+29+LIXSDEduDTA03/jHee0sEI3Buk6y7ql9AZGxNlfTIKQyqlpiWQKsw==","sha1":"21004e1bb8ffba2a67712600fd4308ed66e0ce61"}}],"evidence_files":[{"tlsh":"fc52138937fb2930456b30651e0f8107b63a944ba91dee4c7a9c42d4af4847e52f3bf9","path":"dist/index.js","sha256":"127dcd647b48bc15c326dc3f2d939e69d4b6bbb3b29ea99aa2bd8bb6026d8b6c"},{"tlsh":"46012630ca218ab356d825d05cbb15a36e62895b0446bc5833c7870c0a4e66b50fd6bd","sha256":"f9e7681bcf64652ef7f0b0b62b6a882a7d6e7873f57423da2be11b123cbc9141","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-xorma/MAL-2026-5464.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}