db-connector-log @1.0.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6142
Ecosystem
npm
Summary
db-connector-log@1.0.1 impersonates the legitimate dx-db-connector package (divbloxjs); package.json's repository/homepage point at the divbloxjs project and the library code is a near-verbatim copy with one added method. DivbloxDatabaseConnector.queryDBConnect contains a base64 literal HASH_KEY ("aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1NINVpX") that decodes via atob() to a jsonkeeper.com paste URL, fetches the.session field from that URL with axios, then spawns a detached node child process with stdio piped/ignored and writes the fetched string to its stdin for execution. This is fetch-and-exec of attacker-controlled, mutable remote JavaScript from an anonymous paste host, with the endpoint deliberately obfuscated via base64 encoding and a misleading variable name. Any consumer that invokes queryDBConnect (or any future release that wires this method into install/import paths) executes arbitrary attacker-controlled code in the installer's Node process. The combination of name impersonation of an established publisher, copy-paste of the victim package's code, an added remote-code-execution method, anonymous mutable code source, and URL obfuscation is the canonical typosquat dropper shape.
Source: amazon-inspector (f0b028ed25796b267dc7df004e294b917a05c2e5fdd76e2540530b8c179843c6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.