OSV Malicious Advisory
scanned 8h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10448 confirms this npm version as malicious. On require/import, index.js fetches the content of a GitHub Gist (https://gist.github.com/getchainverse/b57a92378ad0a52430137c3b810e7107, retrieved via api.github.com/gists/<id>) and passes the returned JavaScript directly to eval()...
Advisory
MAL-2026-10448
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @sqlite-group/schema-generator (npm)
Details
On require/import, index.js fetches the content of a GitHub Gist (https://gist.github.com/getchainverse/b57a92378ad0a52430137c3b810e7107, retrieved via api.github.com/gists/<id>) and passes the returned JavaScript directly to eval(). The gist is mutable and controlled by an external account with no relationship to SQLite, so any project that loads this package executes whatever code the gist owner chooses at that moment. The package is published under the `@sqlite-group` npm scope with description "simple node for sql fetch" while the author (`guilderguzman`) has no connection to the SQLite project — the scope is a lure to inflate install probability for what is otherwise a bare remote-eval loader.
Decision reason
OpenSSF Malicious Packages via OSV confirms @sqlite-group/schema-generator@1.0.2 as malicious (MAL-2026-10448): Malicious code in @sqlite-group/schema-generator (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory