MAL-2026-7012
Malicious code in express-mongo-limit (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11) package.json declares postinstall=`node index.js`. On `npm install`, index.js decodes a base64-encoded URL (`aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp` → https://gamboracle.vercel.app/api) via an `atob` helper cover-named `setApiKey`/`verify`, then POSTs the installer's entire `process.env` to that endpoint with header `x-app-request: ip-check`. The HTTP response body is then passed to `new Function("require", response.data)(require)`, giving the remote server arbitrary code execution on the installer's machine with the CommonJS `require` in scope. Function names (`setApiKey`, `verify`, `validateApiKey`), the base64-encoded destination, and the misleading `x-app-request: ip-check` header form a cover story; the README is an unrelated hello-world text while the package name and description (`Sanitize your express payload without limitations`) impersonate the popular `express-mongo-sanitize` package. Both credential exfiltration and remote code execution fire automatically on default install.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for express-mongo-limit (npm). Pin to a known-safe version or switch to an alternative.