VYPR

npm · Malicious package advisory

Malware

db-dx-connector

MAL-2026-5463

Malicious code in db-dx-connector (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (074f9125a23bf19f9f20f101c2db4888d121e6bd931fcb9933ef0e4f899c3759)
The package name `db-dx-connector` inverts the word order of the legitimate `dx-db-connector` package (whose own GitHub URL `github.com/divbloxjs/dx-db-connector` is referenced in this package's metadata). It replicates the legitimate package's MySQL-connector API surface and adds an undocumented method `queryDBConnect` in `index.js` (lines 226-238) that constitutes a backdoor: a base64-encoded URL stored in a misleadingly named `HASH_KEY` constant decodes to `https://www.jsonkeeper.com/b/ZIAIK` (an anonymous, mutable paste-hosting service), the method fetches `.data.content` from that URL via axios, constructs a synthetic Node module, and calls `m._compile(s1, 'error.js')` to execute the fetched JavaScript inside the consumer's Node process. Errors are silently swallowed in a try/catch. Whoever controls the paste can ship arbitrary code into any process that calls `queryDBConnect()`. The combination of name inversion against a real package, base64 URL obfuscation, anonymous attacker-controlled host, runtime fetch+compile of remote JavaScript, and silent error suppression is an unambiguous remote-code-execution backdoor.

Compromised versions (4)

  • 1.0.0
  • 1.0.1
  • 1.0.2
  • 1.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.