MAL-2026-7012

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mongo-limit/MAL-2026-7012.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7012
Published
2026-07-08T17:28:37Z
Modified
2026-07-08T17:46:44.255199265Z
Summary
Malicious code in express-mongo-limit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11)

package.json declares postinstall=node index.js. On npm install, index.js decodes a base64-encoded URL (aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp → https://gamboracle.vercel.app/api) via an atob helper cover-named setApiKey/verify, then POSTs the installer's entire process.env to that endpoint with header x-app-request: ip-check. The HTTP response body is then passed to new Function("require", response.data)(require), giving the remote server arbitrary code execution on the installer's machine with the CommonJS require in scope. Function names (setApiKey, verify, validateApiKey), the base64-encoded destination, and the misleading x-app-request: ip-check header form a cover story; the README is an unrelated hello-world text while the package name and description (Sanitize your express payload without limitations) impersonate the popular express-mongo-sanitize package. Both credential exfiltration and remote code execution fire automatically on default install.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11",
            "id": "IN-MAL-2026-008169",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:19.651336977Z",
            "modified_time": "2026-07-08T17:29:28Z",
            "versions": [
                "2.0.2"
            ]
        },
        {
            "sha256": "7d96872ebd4caa268253a12ad978f944ea4cb9f5c7e8c56e8d6ca20371be80f0",
            "id": "IN-MAL-2026-008166",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:40:19.360960794Z",
            "modified_time": "2026-07-08T17:28:37Z",
            "versions": [
                "2.0.6"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / express-mongo-limit

Package

Name
express-mongo-limit
View open source insights on deps.dev
Purl
pkg:npm/express-mongo-limit

Affected ranges

Affected versions

2.*
2.0.2
2.0.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "express-mongo-limit-2.0.2.tgz",
            "hashes": {
                "sha1": "920a44630ecae3330a005dfc97e0f95f20f37d8c",
                "sha512_sri": "sha512-UfuC5IJZ+VwwZjstCYRxhpFinzmVw7fGnh+1bIR+4LJVkFrc3fyfPdq4vi8vB4FB+O5iQxGxocU8coa2C70Pqw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "ac119c0a1c96102ad1377bb8cb0b401bf753c5230268d25aba9f91501ff29a49621ffd",
            "sha256": "c4a3e3af06249afd5ef2abf09e7e4bdd85583dcb6837933afa623789542f6fee"
        },
        {
            "path": "config/auth.js",
            "tlsh": "a4d0a75e88d9209209f6e7a0b8a54417a680d122248ddad0350c114d2fe4056d1988d8",
            "sha256": "a2b44e9baea8761757c717d19ed0a31f819423625dcdfbb0f3250809e749705e"
        },
        {
            "path": "package.json",
            "tlsh": "4de02233d9009a332df0969a6d698696b6a09b2f10a09c0b32bb116c5b6613219cb349",
            "sha256": "f4e7a27f05cc81924f979eefafdc7821fbcfcc15a8423a2165b52e23621f49e3"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mongo-limit/MAL-2026-7012.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]