registry  /  @sqlite-clone/nodesql  /  1.0.2

@sqlite-clone/nodesql@1.0.2

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10577 confirms this npm version as malicious. The package is published as @sqlite-clone/nodesql but its shipped index.js is a verbatim copy of the well-known feross/buffer polyfill with a single injected top-level statement: `var ins = import('@sqlite-panel/createsql');`. This dynamic import fires whenever a consumer requires or imports the package, transitively loading and executing whatever code the sibling scoped package @sqlite-panel/createsql ships...

Advisory
MAL-2026-10577
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sqlite-clone/nodesql (npm)
Details
The package is published as @sqlite-clone/nodesql but its shipped index.js is a verbatim copy of the well-known feross/buffer polyfill with a single injected top-level statement: `var ins = import('@sqlite-panel/createsql');`. This dynamic import fires whenever a consumer requires or imports the package, transitively loading and executing whatever code the sibling scoped package @sqlite-panel/createsql ships. The package name, keywords ('node','sql'), README (titled 'bare-stream' and instructing users to `npm i @sql-access/nods`), and actual code body (buffer polyfill) do not agree with each other, and the declared dependency lives under a third, unrelated scope — a lure/cover-story shape rather than a legitimate library. The buffer-polyfill body serves as camouflage: the tarball has no direct network I/O of its own; the entire supply-chain effect is delivered through the transitively pulled attacker-controlled dependency. ## Source: ghsa-malware (985672f13ce54593863a51a4aa24b8eabb3a47e3cc65149c57061969d9621e45) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sqlite-clone/nodesql@1.0.2 as malicious (MAL-2026-10577): Malicious code in @sqlite-clone/nodesql (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory