db-dx-connector is a name-swap typosquat of the legitimate dx-db-connector package (the package's own repository, bugs, and homepage fields all point to github.com/divbloxjs/dx-db-connector). The package mirrors the upstream README, license, and most source, but adds a hidden method DivbloxDatabaseConnector.queryDBConnect() in index.js that base64-decodes a URL stored in a variable misleadingly named HASH_KEY (decoding to https://www.jsonkeeper.com/b/ZIAIK), HTTP-GETs its .data.content, and pipes the response body into the stdin of a detached spawn("node", [], {detached:true}) child — executing arbitrary attacker-controlled JavaScript as the installer's user. jsonkeeper.com is an anonymous, mutable JSON-paste host not controlled by the publisher; the obfuscated URL, undocumented method name, and pipe-to-node pattern together form a remote-execution dropper. Any caller who reaches queryDBConnect() (e.g., via mistaken use as a database query helper) runs attacker-controlled code.