Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

@sqlite-node/createsqlnpm

Malicious code in @sqlite-node/createsql (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5396
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall @sqlite-node/createsql

What this malware does

The package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry (index.js) is a single heavily obfuscated module (obfuscator.io string-array with RC4+base64 decoders, control-flow flattening, 233-entry rotated string array). After deobfuscation, a top-level IIFE runs at require() time: it builds a 4-octet IP address via repeated string concatenation, performs an HTTP GET to that hardcoded remote host, writes the response bytes to a file in an OS directory via fs.writeFileSync, then invokes child_process.exec on the dropped file with windowsHide: true to hide the console window. Empty uncaughtException / unhandledRejection handlers and surrounding try/catch swallow errors to avoid drawing attention. Package metadata further reinforces the lure shape: the @sqlite-node scope and createsql name imply an official SQLite toolkit, but the repository field points at an unrelated guilderguzman/array-utl_nodelump project and the package contains no SQLite implementation. Any project that runs npm install @sqlite-node/createsql and then imports the package will have arbitrary attacker-controlled code fetched and executed on the developer/CI machine.

Malicious versions

14 flagged
1.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.5

Indicators of compromise (SHA-256)

6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6
c1749978f045ac3589f811f488178b066b29e175aa8fa6243be49627d446b7a9
3dd1545d5bdf54cb38cd591cc5455c1fa7051e38b9f29e85a22e4f9afa49eb7e
44490681f99cdda4535173f1c7db705850cc89f654c3365e4c9d5d4447c08298
47bb76a880c9424b21c6d9023cc2033c66beab75fc76d4cb22b5d3dc54326ca7
a799aae0210ee9037432fee197f202506a56c365abb4e28695e6f6472f9686ab
eaf0406705f87276ae5209363bc44a95985934426e8ffc5f71e5ca9b816ad6fe
77c56d23f8cc94724d28dbe88d44cb44658792526d7a977b1d6d8d54d2a69227
b4807311f692e35d5f09e064b3c8bc652197f325705e33aec4ab07fa0fa6d0cd
c99cc07d5718829e19100c5156b6d76e8073fa5dd428a5ae0c80b7ab3b3b7809
078930d9b8f1718837ead49232668ade00d770619460d9ee78de9e460789f54e
60d575bb7702c7cc2be1b0ccb5e8dde19db7772e32c0338ae6e49cce8f5dd4c9
67f0d97e2d687bcc5dde8fdb908c863d0b5a326507679bb124e4e5deb2c669c2
7d85c0d58c39173befc77731755ebb3e74f4a19e6001ebf45af36180df7ecd0c
03285123df190ccc95b10483103eafcffc4115a10957d54495c56b6e64fd3ff6
1cd197fed242f2f78820ae2d71c9d85222434732888f987e971e59282e2f5004
d94eff1a40e4f15f06c0d89ef9bb6e1ff9446d038f81d49da16c155b1060d0c5

Detection & response playbook

Malicious package

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for @sqlite-node/createsql (14 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging @sqlite-node/createsql across your stack and pipelines.

  2. If you installed it — respond

    Remove @sqlite-node/createsql from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If @sqlite-node/createsql was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks @sqlite-node/createsql before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. @sqlite-node/createsql on npm has been identified as a malicious package (versions 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, and 6 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004946IN-MAL-2026-005889IN-MAL-2026-005900IN-MAL-2026-005896IN-MAL-2026-005886IN-MAL-2026-005887IN-MAL-2026-005891IN-MAL-2026-005893IN-MAL-2026-005890IN-MAL-2026-005899IN-MAL-2026-005888IN-MAL-2026-005892IN-MAL-2026-005895IN-MAL-2026-005894IN-MAL-2026-005901IN-MAL-2026-005898IN-MAL-2026-005897

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks @sqlite-node/createsql-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring
@sqlite-node/createsql (npm) malicious package — MAL-2026-5396 | O3 Security