{"id":"MAL-2026-6540","summary":"Malicious code in db-rake (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c)\nWhen a consumer imports db-rake and constructs any Model, the package's `resetor()` method silently runs `npm install db-dx-connector` (unpinned, `no-save: true`, `loglevel: silent`, `no-warnings: true`) via oubliette's `syncApi`, then `require`s the freshly-fetched module and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The install primitive is concealed by aliasing the import as `npm` (`const { syncApi: npm } = require(\"oubliette\")`) so call sites read as innocuous `npm().install(...)`, and all output is suppressed. The fetched package is attacker-mutable (latest tag), unrelated to the README's stated purpose (an in-memory mobx-backed database), and undocumented. A commented-out adjacent block in dist/index.js shows the same technique templated against a different target package (`clsx-js` via `execSync('npm uninstall clsx-js && npm install clsx-js', { stdio: 'ignore', windowsHide: true })`), corroborating that the live db-dx-connector path is a deliberately engineered dropper rather than benign auto-recovery. Any code published to db-dx-connector at any future time will be executed in the consumer's process.\n","modified":"2026-06-26T21:46:44.949453159Z","published":"2026-06-26T21:11:20Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-26T21:34:02.549826881Z","id":"IN-MAL-2026-007668","versions":["1.0.2"],"modified_time":"2026-06-26T21:11:24Z","source":"amazon-inspector","sha256":"7897e7e59fce00f8a8a5be479e4006b02259d746db7284d0d47a240fb4d88614"},{"import_time":"2026-06-26T21:34:02.509692265Z","id":"IN-MAL-2026-007667","versions":["1.0.1"],"modified_time":"2026-06-26T21:11:20Z","source":"amazon-inspector","sha256":"d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-rake/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/db-rake/v/1.0.1"}],"affected":[{"package":{"name":"db-rake","ecosystem":"npm","purl":"pkg:npm/db-rake"},"versions":["1.0.2","1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/db-rake/MAL-2026-6540.json","indicators":{"evidence_files":[{"tlsh":"5a52238937fb2930456b30691e0f8007b63a944ba91ded4c7a9c42d4af4847e52f3bb9","path":"dist/index.js","sha256":"12941c281e8ea346e10b8c78dfcef0e347f8a2f76fe1a74e066dbf443523191f"}],"package_integrity":[{"hashes":{"sha1":"bb4919c3a328872c7c14cfd4cc3583b3a49a9573","sha512_sri":"sha512-g8AEzvyrW94BalaAOF7efKVKS2ojHHIuAjn4VRmW+xzgx8DdsPuUt+YqzlYoGx/iqu8UbsCl4iI22CmOKHU8PQ=="},"filename":"db-rake-1.0.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}