@sqlite-node/createsql @1.1.5

Summary

The package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry (index.js) is a single heavily obfuscated module (obfuscator.io string-array with RC4+base64 decoders, control-flow flattening, 233-entry rotated string array). After deobfuscation, a top-level IIFE runs at require() time: it builds a 4-octet IP address via repeated string concatenation, performs an HTTP GET to that hardcoded remote host, writes the response bytes to a file in an OS directory via fs.writeFileSync, then invokes child_process.exec on the dropped file with windowsHide: true to hide the console window. Empty uncaughtException / unhandledRejection handlers and surrounding try/catch swallow errors to avoid drawing attention. Package metadata further reinforces the lure shape: the @sqlite-node scope and createsql name imply an official SQLite toolkit, but the repository field points at an unrelated guilderguzman/array-utl_nodelump project and the package contains no SQLite implementation. Any project that runs npm install @sqlite-node/createsql and then imports the package will have arbitrary attacker-controlled code fetched and executed on the developer/CI machine.

Source: amazon-inspector (6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6)