Supply-chain threat intelligence
Risk score
92
Indexed incident for mongoose-schema-unique (npm).
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's data.data field to a worker thread via worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data }). The referenced worker module (./worker-singleton) is not present in the tarball. Every require('mongoose-schema-unique') triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new mongoose-schema-unique/mongoose-schema-unique GitHub org while keeping the original author metadata and jumps the major version with a mongoose ^8 peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Affected versions
Indicators
Timeline