-= Per source details. Do not edit below this line.=-
package.json declares postinstall=node index.js. On npm install, index.js decodes a base64-encoded URL (aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp → https://gamboracle.vercel.app/api) via an atob helper cover-named setApiKey/verify, then POSTs the installer's entire process.env to that endpoint with header x-app-request: ip-check. The HTTP response body is then passed to new Function("require", response.data)(require), giving the remote server arbitrary code execution on the installer's machine with the CommonJS require in scope. Function names (setApiKey, verify, validateApiKey), the base64-encoded destination, and the misleading x-app-request: ip-check header form a cover story; the README is an unrelated hello-world text while the package name and description (Sanitize your express payload without limitations) impersonate the popular express-mongo-sanitize package. Both credential exfiltration and remote code execution fire automatically on default install.
{
"malicious-packages-origins": [
{
"sha256": "14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11",
"id": "IN-MAL-2026-008169",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:40:19.651336977Z",
"modified_time": "2026-07-08T17:29:28Z",
"versions": [
"2.0.2"
]
},
{
"sha256": "7d96872ebd4caa268253a12ad978f944ea4cb9f5c7e8c56e8d6ca20371be80f0",
"id": "IN-MAL-2026-008166",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:40:19.360960794Z",
"modified_time": "2026-07-08T17:28:37Z",
"versions": [
"2.0.6"
]
}
]
}{
"package_integrity": [
{
"filename": "express-mongo-limit-2.0.2.tgz",
"hashes": {
"sha1": "920a44630ecae3330a005dfc97e0f95f20f37d8c",
"sha512_sri": "sha512-UfuC5IJZ+VwwZjstCYRxhpFinzmVw7fGnh+1bIR+4LJVkFrc3fyfPdq4vi8vB4FB+O5iQxGxocU8coa2C70Pqw=="
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "ac119c0a1c96102ad1377bb8cb0b401bf753c5230268d25aba9f91501ff29a49621ffd",
"sha256": "c4a3e3af06249afd5ef2abf09e7e4bdd85583dcb6837933afa623789542f6fee"
},
{
"path": "config/auth.js",
"tlsh": "a4d0a75e88d9209209f6e7a0b8a54417a680d122248ddad0350c114d2fe4056d1988d8",
"sha256": "a2b44e9baea8761757c717d19ed0a31f819423625dcdfbb0f3250809e749705e"
},
{
"path": "package.json",
"tlsh": "4de02233d9009a332df0969a6d698696b6a09b2f10a09c0b32bb116c5b6613219cb349",
"sha256": "f4e7a27f05cc81924f979eefafdc7821fbcfcc15a8423a2165b52e23621f49e3"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mongo-limit/MAL-2026-7012.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]