MAL-2026-10184
Malicious code in mongoose-schema-unique (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7e3806417e775917428aeea0eb50ecbfec0bc2220282bee33f4138ff43e80dca) index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's `data.data` field to a worker thread via `worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data })`. The referenced worker module (`./worker-singleton`) is not present in the tarball. Every `require('mongoose-schema-unique')` triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new `mongoose-schema-unique/mongoose-schema-unique` GitHub org while keeping the original author metadata and jumps the major version with a `mongoose ^8` peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for mongoose-schema-unique (npm). Pin to a known-safe version or switch to an alternative.