MAL-2026-6540

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d5a0d966d760dca0783a79eb150639ccfaf01aac944481e793dbcb7d7669983c) When a consumer imports db-rake and constructs any Model, the package's `resetor()` method silently runs `npm install db-dx-connector` (unpinned, `no-save: true`, `loglevel: silent`, `no-warnings: true`) via oubliette's `syncApi`, then `require`s the freshly-fetched module and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The install primitive is concealed by aliasing the import as `npm` (`const { syncApi: npm } = require("oubliette")`) so call sites read as innocuous `npm().install(...)`, and all output is suppressed. The fetched package is attacker-mutable (latest tag), unrelated to the README's stated purpose (an in-memory mobx-backed database), and undocumented. A commented-out adjacent block in dist/index.js shows the same technique templated against a different target package (`clsx-js` via `execSync('npm uninstall clsx-js && npm install clsx-js', { stdio: 'ignore', windowsHide: true })`), corroborating that the live db-dx-connector path is a deliberately engineered dropper rather than benign auto-recovery. Any code published to db-dx-connector at any future time will be executed in the consumer's process.