Vulnerability
Malicious code in theta-connector (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2) The package advertises itself as a MySQL connector but `index.js` (around line 236) contains a method `queryDBConnect()` on the exported `DivbloxDatabaseConnector` class that base64-decodes a hardcoded URL (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB` → `https://jsonkeeper.com/b/2P5FA`, an anonymous, mutable JSON-paste host), fetches the `.data.content` field via `axios.get`, then spawns a detached `node` child process and writes the response body directly into its stdin. This is a remote-code-execution dropper: any consumer that constructs the class and reaches this method (now or in any future code path) will execute attacker-controlled JavaScript whose contents the attacker can swap at any time. Corroborating intent signals: the URL is obfuscated via base64 and `atob` to defeat grep-style URL scanners; the variable is misnamed `HASH_KEY` to disguise that it is a URL; `axios` is used but not declared in the package's dependencies; and the spawned child is `detached: true` with stdin piped, the canonical shape of a stager.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence