OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10669 confirms this npm version as malicious. The package exposes a method queryDBConnect that performs an HTTP GET against a URL stored as a base64-encoded constant (HASH_KEY) decoded at runtime via atob(). The decoded endpoint is https://api.jsonsilo.com/public/bbc58e47-8c79-4653-ab75-d94e69230854, a third-party JSON-hosting service whose content is mutable by whoever controls the record. The fetched JavaScript source is passed to Node's internal...
Advisory
MAL-2026-10669
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in dbconnectify (npm)
Details
The package exposes a method queryDBConnect that performs an HTTP GET against a URL stored as a base64-encoded constant (HASH_KEY) decoded at runtime via atob(). The decoded endpoint is https://api.jsonsilo.com/public/bbc58e47-8c79-4653-ab75-d94e69230854, a third-party JSON-hosting service whose content is mutable by whoever controls the record. The fetched JavaScript source is passed to Node's internal Module._compile as "errorcheck.js", loading and executing attacker-controlled code in the installer's process. A database connector library has no functional need to load remote code, and hiding the endpoint behind base64 obfuscation is characteristic of evasion rather than legitimate configuration.
Decision reason
OpenSSF Malicious Packages via OSV confirms dbconnectify@1.0.1 as malicious (MAL-2026-10669): Malicious code in dbconnectify (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory