VDB
KO

MAL-2026-10448

Malicious code in @sqlite-group/schema-generator (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4d317d08a81d92d85c53ffe33ef8c709b706ed09c1f89b1c6489ac4fbf9f82c8) On require/import, index.js fetches the content of a GitHub Gist (https://gist.github.com/getchainverse/b57a92378ad0a52430137c3b810e7107, retrieved via api.github.com/gists/<id>) and passes the returned JavaScript directly to eval(). The gist is mutable and controlled by an external account with no relationship to SQLite, so any project that loads this package executes whatever code the gist owner chooses at that moment. The package is published under the `@sqlite-group` npm scope with description "simple node for sql fetch" while the author (`guilderguzman`) has no connection to the SQLite project — the scope is a lure to inflate install probability for what is otherwise a bare remote-eval loader.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @sqlite-group/schema-generator

No fixed version published yet for @sqlite-group/schema-generator (npm). Pin to a known-safe version or switch to an alternative.

References