npm

@sqlite-clone/nodesql @1.0.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10577

Ecosystem

npm

Summary

The package is published as @sqlite-clone/nodesql but its shipped index.js is a verbatim copy of the well-known feross/buffer polyfill with a single injected top-level statement: var ins = import('@sqlite-panel/createsql'); . This dynamic import fires whenever a consumer requires or imports the package, transitively loading and executing whatever code the sibling scoped package @sqlite-panel/createsql ships. The package name, keywords ('node','sql'), README (titled 'bare-stream' and instructing users to npm i @sql-access/nods ), and actual code body (buffer polyfill) do not agree with each other, and the declared dependency lives under a third, unrelated scope — a lure/cover-story shape rather than a legitimate library. The buffer-polyfill body serves as camouflage: the tarball has no direct network I/O of its own; the entire supply-chain effect is delivered through the transitively pulled attacker-controlled dependency.

Source: amazon-inspector (aa13a1a0a588b94fe6f577ccd3fad94566f8db8d44848aa6421285795f15298d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.