mal-2026-5464
Vulnerability from ossf_malicious_packages
Published
2026-06-09 20:18
Modified
2026-06-18 19:21
Summary
Malicious code in db-xorma (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)
db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require('db-dx-connector') and, if missing, shells out via execSync to npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent with stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokes new DxDatabaseConnector({}).queryDBConnect(). The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer's package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on 'child_process' ^1.0.2 — a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package's own install lifecycle. A commented-out variant of the same dropper template targeting 'clsx-js' remains in dist/index.js, indicating the pattern is iterated across package names.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "dist/index.js",
"sha256": "127dcd647b48bc15c326dc3f2d939e69d4b6bbb3b29ea99aa2bd8bb6026d8b6c",
"tlsh": "fc52138937fb2930456b30651e0f8107b63a944ba91dee4c7a9c42d4af4847e52f3bf9"
},
{
"path": "package.json",
"sha256": "f9e7681bcf64652ef7f0b0b62b6a882a7d6e7873f57423da2be11b123cbc9141",
"tlsh": "46012630ca218ab356d825d05cbb15a36e62895b0446bc5833c7870c0a4e66b50fd6bd"
}
],
"package_integrity": [
{
"filename": "db-xorma-1.0.2.tgz",
"hashes": {
"sha1": "21004e1bb8ffba2a67712600fd4308ed66e0ce61",
"sha512_sri": "sha512-4UX2qrmBEnL/E7W+5tIqiLlKEXiqb+29+LIXSDEduDTA03/jHee0sEI3Buk6y7ql9AZGxNlfTIKQyqlpiWQKsw=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "db-xorma"
},
"versions": [
"1.0.2",
"1.0.1",
"1.0.0",
"1.0.3",
"1.0.4"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-005191",
"import_time": "2026-06-09T20:45:50.898140803Z",
"modified_time": "2026-06-09T20:18:54Z",
"sha256": "1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-005248",
"import_time": "2026-06-09T22:36:25.449546771Z",
"modified_time": "2026-06-09T21:39:41Z",
"sha256": "7a0a6d972b6cf17adb4b5bc9ed777b09afb307c801e56be6d81bf98216001c44",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-005251",
"import_time": "2026-06-09T22:36:25.597822089Z",
"modified_time": "2026-06-09T21:43:32Z",
"sha256": "b3ae2dc2f44f2924a368585ef601221e4a597fbd372c9eb24e13db5edb23834c",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-007024",
"import_time": "2026-06-18T19:20:02.957954512Z",
"modified_time": "2026-06-18T19:10:01Z",
"sha256": "0ec9aaf440f01c1358120520feb4ff3a94cfc4b78a6d60ee37dc7e6f8384b7af",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"id": "IN-MAL-2026-007025",
"import_time": "2026-06-18T19:20:03.058187284Z",
"modified_time": "2026-06-18T19:10:02Z",
"sha256": "829e11e2363d79632dbac318082f779dd7463e86f53e96e3754998f5abd398be",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)\ndb-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require(\u0027db-dx-connector\u0027) and, if missing, shells out via execSync to `npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent` with stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer\u0027s package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on \u0027child_process\u0027 ^1.0.2 \u2014 a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package\u0027s own install lifecycle. A commented-out variant of the same dropper template targeting \u0027clsx-js\u0027 remains in dist/index.js, indicating the pattern is iterated across package names.\n",
"id": "MAL-2026-5464",
"modified": "2026-06-18T19:21:55Z",
"published": "2026-06-09T20:18:54Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/db-xorma/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/db-xorma/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/db-xorma/v/1.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/db-xorma/v/1.0.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/db-xorma/v/1.0.4"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in db-xorma (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…