OSV Malicious Advisory
scanned 13h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6142 confirms this npm version as malicious. The package impersonates the legitimate dx-db-connector (the package.json repository field points at git+https://github.com/divbloxjs/dx-db-connector.git) and replicates that connector's API surface, while adding an undocumented method queryDBConnect on the exported class. queryDBConnect base64-decodes a hardcoded URL (stored in a variable misleadingly named HASH_KEY and decoded with atob to evade static URL...
Advisory
MAL-2026-6142
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in db-connector-log (npm)
Details
The package impersonates the legitimate dx-db-connector (the package.json repository field points at git+https://github.com/divbloxjs/dx-db-connector.git) and replicates that connector's API surface, while adding an undocumented method queryDBConnect on the exported class. queryDBConnect base64-decodes a hardcoded URL (stored in a variable misleadingly named HASH_KEY and decoded with atob to evade static URL scanners), HTTP-GETs https://jsonkeeper.com/b/L435A — an anonymous, mutable JSON paste host — extracts the response's.session field, spawns a detached node child process, and writes that attacker-controlled content to its stdin, executing arbitrary JavaScript on the installer's machine. The combination of name impersonation, base64 URL obfuscation, anonymous mutable host, and stdin-piped node execution is a textbook remote-code-execution dropper. While the malicious method requires a caller to invoke it, it sits on the class consumers instantiate as the DB connector and resembles the surrounding DB methods, so normal use of the advertised API can reach it.
## Source: ghsa-malware (3bfecfb056db8c5e4aaed4e28024d4774d030e53b889b337bee712dfc6a31c21) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms db-connector-log@1.0.0 as malicious (MAL-2026-6142): Malicious code in db-connector-log (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory