The package advertises itself as a MySQL connector but index.js (around line 236) contains a method queryDBConnect() on the exported DivbloxDatabaseConnector class that base64-decodes a hardcoded URL (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB → https://jsonkeeper.com/b/2P5FA, an anonymous, mutable JSON-paste host), fetches the .data.content field via axios.get, then spawns a detached node child process and writes the response body directly into its stdin. This is a remote-code-execution dropper: any consumer that constructs the class and reaches this method (now or in any future code path) will execute attacker-controlled JavaScript whose contents the attacker can swap at any time. Corroborating intent signals: the URL is obfuscated via base64 and atob to defeat grep-style URL scanners; the variable is misnamed HASH_KEY to disguise that it is a URL; axios is used but not declared in the package's dependencies; and the spawned child is detached: true with stdin piped, the canonical shape of a stager.