Which versions of @sqlite-node/createsql are malicious?

The following npm versions of @sqlite-node/createsql are flagged malicious: 1.0.3. Treat any of these as compromised.

How do I remediate @sqlite-node/createsql if I installed it?

Remove @sqlite-node/createsql from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is @sqlite-node/createsql part of a known attack campaign?

Yes — @sqlite-node/createsql is associated with the IN-MAL-2026-004946 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect @sqlite-node/createsql in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @sqlite-node/createsql and packages like it before any post-install script runs.

Malicious package

@sqlite-node/createsqlnpm

Malicious code in @sqlite-node/createsql (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5396

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @sqlite-node/createsql

What this malware does

The package advertises itself as a SQLite toolkit but ships no SQLite functionality. Its main entry (index.js) is a single heavily obfuscated module (obfuscator.io string-array with RC4+base64 decoders, control-flow flattening, 233-entry rotated string array). After deobfuscation, a top-level IIFE runs at require() time: it builds a 4-octet IP address via repeated string concatenation, performs an HTTP GET to that hardcoded remote host, writes the response bytes to a file in an OS directory via fs.writeFileSync, then invokes child_process.exec on the dropped file with windowsHide: true to hide the console window. Empty uncaughtException / unhandledRejection handlers and surrounding try/catch swallow errors to avoid drawing attention. Package metadata further reinforces the lure shape: the @sqlite-node scope and createsql name imply an official SQLite toolkit, but the repository field points at an unrelated guilderguzman/array-utl_nodelump project and the package contains no SQLite implementation. Any project that runs npm install @sqlite-node/createsql and then imports the package will have arbitrary attacker-controlled code fetched and executed on the developer/CI machine.

Malicious versions

1 flagged

1.0.3

Indicators of compromise (SHA-256)

6f6f2c4e3192b71fc68681fbb8c8216a5e581e9f2baaa13954172249a8ddf5b6

Frequently asked questions

No. @sqlite-node/createsql on npm has been identified as a malicious package (version 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004946

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection