MAL-2026-6539

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4928f7d380b79104d997e7666603726873158508c38d2c75a90c7529dd196be3) The package presents itself as a database query helper but index.js defines a method queryDBConnect() that base64-decodes a hardcoded URL pointing to https://www.jsonkeeper.com/b/ZIAIK (an anonymous, attacker-mutable JSON paste host), fetches the.data.content field via axios, and compiles and executes the response as a Node module via new Module()._compile(...). The destination URL is stored as a base64 literal named HASH_KEY and decoded with atob() at runtime, hiding it from static inspection, and errors in the fetch-and-execute path are silently swallowed. Package metadata further misrepresents the project: package.json declares the name 'db-query-log' while repository/homepage/bugs all point to github.com/divbloxjs/dx-db-connector and the exported class is DivbloxDatabaseConnector, with the remote-exec method absent from that upstream's API. Any consumer that calls into the package's connector and reaches this code path will execute arbitrary attacker-controlled JavaScript inside the Node.js process with the installer's privileges.