MAL-2026-10627
Malicious code in @sqlite-frame/nodesql (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0b24506932cbd3f2258f2448b83918ba2acee09cd896467780f8b1dc18b9eb42) index.js is a near-verbatim copy of the upstream feross/buffer library with a single injected top-level statement `var ins = import('@sqlite-frame/createsql');` placed immediately after 'use strict'. On any `require('@sqlite-frame/nodesql')`, Node dynamically imports the sibling scoped package @sqlite-frame/createsql (declared as a runtime dependency), causing that package's code to execute in the consumer's process without user awareness. The README compounds the deception: it presents the package as `bare-stream` and instructs `npm i @sql-access/nods`, while the tarball is actually published as @sqlite-frame/nodesql and ships a Buffer clone rather than a streaming library. Author metadata and the repository `guilderguzman/sql-link` do not match the advertised identity. This is a lure/wrapper whose only added behavior over the upstream library it copies is to smuggle a sibling package into the dependency graph and auto-load it on import.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @sqlite-frame/nodesql (npm). Pin to a known-safe version or switch to an alternative.