npm

@sqlite-group/schema-generator @1.0.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 2:45 AM UTC

Malicious

OSV ID

MAL-2026-10448

Ecosystem

npm

Summary

On require/import, index.js fetches the content of a GitHub Gist (https://gist.github.com/getchainverse/b57a92378ad0a52430137c3b810e7107, retrieved via api.github.com/gists/<id>) and passes the returned JavaScript directly to eval(). The gist is mutable and controlled by an external account with no relationship to SQLite, so any project that loads this package executes whatever code the gist owner chooses at that moment. The package is published under the @sqlite-group npm scope with description "simple node for sql fetch" while the author ( guilderguzman ) has no connection to the SQLite project — the scope is a lure to inflate install probability for what is otherwise a bare remote-eval loader.

Source: amazon-inspector (4d317d08a81d92d85c53ffe33ef8c709b706ed09c1f89b1c6489ac4fbf9f82c8)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.