registry  /  dbconnectify  /  1.0.1

dbconnectify@1.0.1

A database connector class that simplifies connections and queries to a database for nodejs apps

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10669 confirms this npm version as malicious. The package exposes a method queryDBConnect that performs an HTTP GET against a URL stored as a base64-encoded constant (HASH_KEY) decoded at runtime via atob(). The decoded endpoint is https://api.jsonsilo.com/public/bbc58e47-8c79-4653-ab75-d94e69230854, a third-party JSON-hosting service whose content is mutable by whoever controls the record. The fetched JavaScript source is passed to Node's internal...

Advisory
MAL-2026-10669
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in dbconnectify (npm)
Details
The package exposes a method queryDBConnect that performs an HTTP GET against a URL stored as a base64-encoded constant (HASH_KEY) decoded at runtime via atob(). The decoded endpoint is https://api.jsonsilo.com/public/bbc58e47-8c79-4653-ab75-d94e69230854, a third-party JSON-hosting service whose content is mutable by whoever controls the record. The fetched JavaScript source is passed to Node's internal Module._compile as "errorcheck.js", loading and executing attacker-controlled code in the installer's process. A database connector library has no functional need to load remote code, and hiding the endpoint behind base64 obfuscation is characteristic of evasion rather than legitimate configuration.
Decision reason
OpenSSF Malicious Packages via OSV confirms dbconnectify@1.0.1 as malicious (MAL-2026-10669): Malicious code in dbconnectify (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory