Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in express-mongo-limit (npm)

express-mongo-limit

Risk score

92

AI summary

Indexed incident for express-mongo-limit (npm).

Description

The package advertises itself as an Express/Mongo payload sanitizer but its postinstall hook (node index.js) globally installs pm2, clipboardy, and screenshot-desktop, then runs pm2 start service.js, pm2 save, and pm2 startup to persist a background service across reboots on the installer's machine. The persisted service (service.js) polls the system clipboard once per second and, when it detects an ETH/BSC, BTC, Solana, or Tron address, replaces it with hardcoded attacker wallets (ETH 0x62Fc857DE5469fDd81F57F309c2fb000cad7bbbb, BTC bc1q8tzzpun6rd45s6fgar2up8nfelt4u2r2h999cc, SOL 6A7vQWJveJBWP78oktAjoZbMakrCAQyLphJ5Kswy5xA4, TRX TUqk5th1eXZWrt1arsqpxZ3frqaCxc9Lr4) to redirect cryptocurrency transfers. A sibling app.js runs an infinite 2-second loop that captures the desktop via screenshot-desktop and emails each screenshot via nodemailer through a Gmail account (daniattacker@gmail.com); the app password is a placeholder in this version but the harvesting and delivery framework is fully wired. config/auth.js also exports a verify() helper that POSTs the entire process.env to a base64-obfuscated Vercel endpoint (gamboracle.vercel.app/api; a second endpoint ipcheck-six.vercel.app/api is stored in .env), with an atob-based decoder used to hide the destinations. The package name and description mimic the widely-used express-mongo-sanitize while the README is an unrelated hello-world-package stub, indicating the metadata is a lure. Installation on a default npm install triggers persistent RCE, clipboard-based crypto theft, desktop screenshot exfiltration, and provides an env-var exfiltration primitive to attacker-controlled endpoints.

Technical details

Affected versions

=2.0.2=2.0.6=2.0.1=2.0.4=2.0.5=2.0.3

Indicators

  • affected version=2.0.275%
  • affected version=2.0.675%
  • affected version=2.0.175%
  • affected version=2.0.475%
  • affected version=2.0.575%
  • affected version=2.0.375%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents