OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10627 confirms this npm version as malicious. index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement `var ins = import('@sqlite-frame/createsql');` placed immediately after 'use strict'...
Advisory
MAL-2026-10627
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sqlite-frame/nodesql (npm)
Details
index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement `var ins = import('@sqlite-frame/createsql');` placed immediately after 'use strict'. On any `require('@sqlite-frame/nodesql')`, Node dynamically imports the sibling scoped package @sqlite-frame/createsql (declared as a runtime dependency), causing that package's code to execute in the consumer's process without user awareness. The README compounds the deception: it presents the package as `bare-stream` and instructs `npm i @sql-access/nods`, while the tarball is actually published as @sqlite-frame/nodesql and ships a Buffer clone rather than a streaming library. Author metadata and the repository `guilderguzman/sql-link` do not match the advertised identity. This is a lure/wrapper whose only added behavior over the upstream library it copies is to smuggle a sibling package into the dependency graph and auto-load it on import.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sqlite-frame/nodesql@1.0.2 as malicious (MAL-2026-10627): Malicious code in @sqlite-frame/nodesql (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory