@sqlite-group/schema-generator @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 2:45 AM UTC
OSV ID
MAL-2026-10448
Ecosystem
npm
Summary
On require/import, index.js fetches the content of a GitHub Gist (https://gist.github.com/getchainverse/b57a92378ad0a52430137c3b810e7107, retrieved via api.github.com/gists/<id>) and passes the returned JavaScript directly to eval(). The gist is mutable and controlled by an external account with no relationship to SQLite, so any project that loads this package executes whatever code the gist owner chooses at that moment. The package is published under the @sqlite-group npm scope with description "simple node for sql fetch" while the author ( guilderguzman ) has no connection to the SQLite project — the scope is a lure to inflate install probability for what is otherwise a bare remote-eval loader.
Source: amazon-inspector (4d317d08a81d92d85c53ffe33ef8c709b706ed09c1f89b1c6489ac4fbf9f82c8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.