Supply-chain threat intelligence
Risk score
92
Indexed incident for db-connector-log (npm).
The package impersonates the legitimate dx-db-connector (the package.json repository field points at git+https://github.com/divbloxjs/dx-db-connector.git) and replicates that connector's API surface, while adding an undocumented method queryDBConnect on the exported class. queryDBConnect base64-decodes a hardcoded URL (stored in a variable misleadingly named HASH_KEY and decoded with atob to evade static URL scanners), HTTP-GETs https://jsonkeeper.com/b/L435A — an anonymous, mutable JSON paste host — extracts the response's.session field, spawns a detached node child process, and writes that attacker-controlled content to its stdin, executing arbitrary JavaScript on the installer's machine. The combination of name impersonation, base64 URL obfuscation, anonymous mutable host, and stdin-piped node execution is a textbook remote-code-execution dropper. While the malicious method requires a caller to invoke it, it sits on the class consumers instantiate as the DB connector and resembles the surrounding DB methods, so normal use of the advertised API can reach it.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline