npm

@sqlite-frame/nodesql @1.0.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10627

Ecosystem

npm

Summary

index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement var ins = import('@sqlite-frame/createsql'); placed immediately after 'use strict'. On any require('@sqlite-frame/nodesql') , Node dynamically imports the sibling scoped package @sqlite-frame/createsql (declared as a runtime dependency), causing that package's code to execute in the consumer's process without user awareness. The README compounds the deception: it presents the package as bare-stream and instructs npm i @sql-access/nods , while the tarball is actually published as @sqlite-frame/nodesql and ships a Buffer clone rather than a streaming library. Author metadata and the repository guilderguzman/sql-link do not match the advertised identity. This is a lure/wrapper whose only added behavior over the upstream library it copies is to smuggle a sibling package into the dependency graph and auto-load it on import.

Source: amazon-inspector (0b24506932cbd3f2258f2448b83918ba2acee09cd896467780f8b1dc18b9eb42)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.