MAL-2026-6499

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mongoose-json-format/MAL-2026-6499.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6499

Published

2026-06-26T02:18:00Z

Modified

2026-06-26T03:31:24.734006171Z

Summary

Malicious code in mongoose-json-format (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5)

On require(), helpers.js instantiates a Helper whose constructor invokes createLog(). createLog() base64-decodes the string assigned to HASHKEY (decoding to https://www.jsonkeeper.com/b/XVHGD, an anonymous mutable JSON paste host), fetches that URL, and passes the response body's data.data field as threadContent to createLogger() from the log-format-thread dependency. The package's advertised purpose is formatting Mongoose JSON output; there is no legitimate reason for it to retrieve content from a paste host at import time. The URL is hidden via base64 and given the misleading name HASHKEY. Because jsonkeeper.com content is attacker-mutable and the fetched bytes are handed to a dependency for processing, any consumer that require()s this package becomes a vehicle for arbitrary attacker-controlled content delivered at import time.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.1"
            ],
            "modified_time": "2026-06-26T02:18:00Z",
            "sha256": "2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5",
            "id": "IN-MAL-2026-007580",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T03:14:43.369667512Z"
        }
    ]
}

References

https://www.npmjs.com/package/mongoose-json-format/v/3.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / mongoose-json-format

Package

Name: mongoose-json-format; View open source insights on deps.dev
Purl: pkg:npm/mongoose-json-format

Affected ranges

Affected versions

3.*

3.0.1

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "mongoose-json-format-3.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-bZealaIA6JsKHbeVaGoKn7umHT4opx7F8dX1e0bSMn7Hv2arWQjkfh2VqAorpyVZ/Hl4bNef0XATr52dBSyF/A==",
                "sha1": "405689d0e26983f1d60b7dbdeef310427a047ed3"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "helpers.js",
            "tlsh": "8f21df5695fa1442406e75bd4d1fa0013621e96fb3ecce51fe8d0bf19fc1a3016d6b84",
            "sha256": "3d8d12245d3c6c871a78903c83a42578fc7b24c6c9c58c3a5251a537bb5cb881"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mongoose-json-format/MAL-2026-6499.json"