Supply-chain threat intelligence
Risk score
92
Indexed incident for express-mongo-limit (npm).
The package advertises itself as an Express/Mongo payload sanitizer but its postinstall hook (node index.js) globally installs pm2, clipboardy, and screenshot-desktop, then runs pm2 start service.js, pm2 save, and pm2 startup to persist a background service across reboots on the installer's machine. The persisted service (service.js) polls the system clipboard once per second and, when it detects an ETH/BSC, BTC, Solana, or Tron address, replaces it with hardcoded attacker wallets (ETH 0x62Fc857DE5469fDd81F57F309c2fb000cad7bbbb, BTC bc1q8tzzpun6rd45s6fgar2up8nfelt4u2r2h999cc, SOL 6A7vQWJveJBWP78oktAjoZbMakrCAQyLphJ5Kswy5xA4, TRX TUqk5th1eXZWrt1arsqpxZ3frqaCxc9Lr4) to redirect cryptocurrency transfers. A sibling app.js runs an infinite 2-second loop that captures the desktop via screenshot-desktop and emails each screenshot via nodemailer through a Gmail account (daniattacker@gmail.com); the app password is a placeholder in this version but the harvesting and delivery framework is fully wired. config/auth.js also exports a verify() helper that POSTs the entire process.env to a base64-obfuscated Vercel endpoint (gamboracle.vercel.app/api; a second endpoint ipcheck-six.vercel.app/api is stored in .env), with an atob-based decoder used to hide the destinations. The package name and description mimic the widely-used express-mongo-sanitize while the README is an unrelated hello-world-package stub, indicating the metadata is a lure. Installation on a default npm install triggers persistent RCE, clipboard-based crypto theft, desktop screenshot exfiltration, and provides an env-var exfiltration primitive to attacker-controlled endpoints.
Affected versions
Indicators
Timeline