Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in mongoose-schema-unique (npm)

mongoose-schema-unique

Risk score

92

AI summary

Indexed incident for mongoose-schema-unique (npm).

Description

index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's data.data field to a worker thread via worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data }). The referenced worker module (./worker-singleton) is not present in the tarball. Every require('mongoose-schema-unique') triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new mongoose-schema-unique/mongoose-schema-unique GitHub org while keeping the original author metadata and jumps the major version with a mongoose ^8 peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.

Technical details

Affected versions

=4.0.4=4.0.3=4.0.2

Indicators

  • affected version=4.0.475%
  • affected version=4.0.375%
  • affected version=4.0.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents