npm

@sqlite-group/sql-creator @1.0.7

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10578

Ecosystem

npm

Summary

The package is published under a scope that impersonates SQLite ( @sqlite-group ) and declares itself as "cloud definitions for node", but the shipped index.js is a near-verbatim copy of the feross/buffer library with a single injected top-level statement: var ins = import('@sqlite-group/schema-generator'); . This dynamic import fires on any require / import of the package, handing control to whatever top-level module code the sibling @sqlite-group/schema-generator ships. The cover-story mismatch (scope name suggesting SQLite tooling + description claiming cloud definitions + actual code being a Buffer polyfill + one injected loader line) is consistent with a dependency-confusion / namespace-piggyback loader stub whose sole purpose is to pull an attacker-controlled sibling into the installer's process on load. Installer harm is the code execution surface exposed by the sibling dependency, delivered transitively when this package is required.

Source: amazon-inspector (4d3bd76c01604d26251c1650c71f8a99ad32c5389c4e42795477ae660be33a2a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.