VDB
KO

MAL-2026-10669

Malicious code in dbconnectify (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e23c446b06120537793ebc07d748d8de5334ae4ec6779bda5368885c72216e81) The package exposes a method queryDBConnect that performs an HTTP GET against a URL stored as a base64-encoded constant (HASH_KEY) decoded at runtime via atob(). The decoded endpoint is https://api.jsonsilo.com/public/bbc58e47-8c79-4653-ab75-d94e69230854, a third-party JSON-hosting service whose content is mutable by whoever controls the record. The fetched JavaScript source is passed to Node's internal Module._compile as "errorcheck.js", loading and executing attacker-controlled code in the installer's process. A database connector library has no functional need to load remote code, and hiding the endpoint behind base64 obfuscation is characteristic of evasion rather than legitimate configuration.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dbconnectify

No fixed version published yet for dbconnectify (npm). Pin to a known-safe version or switch to an alternative.

References