MAL-2026-5705
Malicious code in theta-connector (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2) The package advertises itself as a MySQL connector but `index.js` (around line 236) contains a method `queryDBConnect()` on the exported `DivbloxDatabaseConnector` class that base64-decodes a hardcoded URL (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB` → `https://jsonkeeper.com/b/2P5FA`, an anonymous, mutable JSON-paste host), fetches the `.data.content` field via `axios.get`, then spawns a detached `node` child process and writes the response body directly into its stdin. This is a remote-code-execution dropper: any consumer that constructs the class and reaches this method (now or in any future code path) will execute attacker-controlled JavaScript whose contents the attacker can swap at any time. Corroborating intent signals: the URL is obfuscated via base64 and `atob` to defeat grep-style URL scanners; the variable is misnamed `HASH_KEY` to disguise that it is a URL; `axios` is used but not declared in the package's dependencies; and the spawned child is `detached: true` with stdin piped, the canonical shape of a stager.
## Source: ghsa-malware (7c95cece679b4ee82a7441f2ed422c648507a603e1b94ddac32255998298b026) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for theta-connector (npm). Pin to a known-safe version or switch to an alternative.