{"id":"MAL-2025-5829","summary":"Malicious code in node-mongoose-orm (npm)","details":"The package employs typosquatting to impersonate a legitimate author and package, and it contains obfuscated code that exfiltrates sensitive user data and creates a backdoor for remote code execution, The core of the malicious activity is found in the `package/lib/writer.js` file. The lib/writer.js file contains obfuscated code that collects and exfiltrates data. It collects sensitive information: environment variables, OS platform, hostname, username, and MAC addresses. Sends this information via a POST request to `https://log-server-lovat.vercel.app/api/ipcheck/703`. The most dangerous part is `eval(r.data)`. This is a remote code execution (RCE) vulnerability. The server can send back any JavaScript code, and it will be executed on the user's machine","modified":"2025-07-02T05:39:07Z","published":"2025-07-02T05:39:07Z","database_specific":{"malicious-packages-origins":null},"affected":[{"package":{"name":"node-mongoose-orm","ecosystem":"npm","purl":"pkg:npm/node-mongoose-orm"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-mongoose-orm/MAL-2025-5829.json"}}],"schema_version":"1.7.3","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}