{"id":"MAL-2026-7012","summary":"Malicious code in express-mongo-limit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11)\npackage.json declares postinstall=`node index.js`. On `npm install`, index.js decodes a base64-encoded URL (`aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp` → https://gamboracle.vercel.app/api) via an `atob` helper cover-named `setApiKey`/`verify`, then POSTs the installer's entire `process.env` to that endpoint with header `x-app-request: ip-check`. The HTTP response body is then passed to `new Function(\"require\", response.data)(require)`, giving the remote server arbitrary code execution on the installer's machine with the CommonJS `require` in scope. Function names (`setApiKey`, `verify`, `validateApiKey`), the base64-encoded destination, and the misleading `x-app-request: ip-check` header form a cover story; the README is an unrelated hello-world text while the package name and description (`Sanitize your express payload without limitations`) impersonate the popular `express-mongo-sanitize` package. Both credential exfiltration and remote code execution fire automatically on default install.\n","modified":"2026-07-08T17:46:44.255199265Z","published":"2026-07-08T17:28:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11","source":"amazon-inspector","import_time":"2026-07-08T17:40:19.651336977Z","versions":["2.0.2"],"modified_time":"2026-07-08T17:29:28Z","id":"IN-MAL-2026-008169"},{"sha256":"7d96872ebd4caa268253a12ad978f944ea4cb9f5c7e8c56e8d6ca20371be80f0","source":"amazon-inspector","import_time":"2026-07-08T17:40:19.360960794Z","versions":["2.0.6"],"modified_time":"2026-07-08T17:28:37Z","id":"IN-MAL-2026-008166"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-mongo-limit/v/2.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-mongo-limit/v/2.0.6"}],"affected":[{"package":{"name":"express-mongo-limit","ecosystem":"npm","purl":"pkg:npm/express-mongo-limit"},"versions":["2.0.2","2.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mongo-limit/MAL-2026-7012.json","indicators":{"evidence_files":[{"sha256":"c4a3e3af06249afd5ef2abf09e7e4bdd85583dcb6837933afa623789542f6fee","tlsh":"ac119c0a1c96102ad1377bb8cb0b401bf753c5230268d25aba9f91501ff29a49621ffd","path":"index.js"},{"sha256":"a2b44e9baea8761757c717d19ed0a31f819423625dcdfbb0f3250809e749705e","tlsh":"a4d0a75e88d9209209f6e7a0b8a54417a680d122248ddad0350c114d2fe4056d1988d8","path":"config/auth.js"},{"sha256":"f4e7a27f05cc81924f979eefafdc7821fbcfcc15a8423a2165b52e23621f49e3","tlsh":"4de02233d9009a332df0969a6d698696b6a09b2f10a09c0b32bb116c5b6613219cb349","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-UfuC5IJZ+VwwZjstCYRxhpFinzmVw7fGnh+1bIR+4LJVkFrc3fyfPdq4vi8vB4FB+O5iQxGxocU8coa2C70Pqw==","sha1":"920a44630ecae3330a005dfc97e0f95f20f37d8c"},"filename":"express-mongo-limit-2.0.2.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}