MAL-2025-5829

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-mongoose-orm/MAL-2025-5829.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5829

Published

2025-07-02T05:39:07Z

Modified

2025-07-02T05:39:07Z

Summary

Malicious code in node-mongoose-orm (npm)

Details

The package employs typosquatting to impersonate a legitimate author and package, and it contains obfuscated code that exfiltrates sensitive user data and creates a backdoor for remote code execution, The core of the malicious activity is found in the package/lib/writer.js file. The lib/writer.js file contains obfuscated code that collects and exfiltrates data. It collects sensitive information: environment variables, OS platform, hostname, username, and MAC addresses. Sends this information via a POST request to https://log-server-lovat.vercel.app/api/ipcheck/703. The most dangerous part is eval(r.data). This is a remote code execution (RCE) vulnerability. The server can send back any JavaScript code, and it will be executed on the user's machine

Database specific

{
    "malicious-packages-origins": null
}

References

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / node-mongoose-orm

Package

Name: node-mongoose-orm; View open source insights on deps.dev
Purl: pkg:npm/node-mongoose-orm

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-mongoose-orm/MAL-2025-5829.json"