VDB
KO

MAL-2026-7012

Malicious code in express-mongo-limit (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11) package.json declares postinstall=`node index.js`. On `npm install`, index.js decodes a base64-encoded URL (`aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp` → https://gamboracle.vercel.app/api) via an `atob` helper cover-named `setApiKey`/`verify`, then POSTs the installer's entire `process.env` to that endpoint with header `x-app-request: ip-check`. The HTTP response body is then passed to `new Function("require", response.data)(require)`, giving the remote server arbitrary code execution on the installer's machine with the CommonJS `require` in scope. Function names (`setApiKey`, `verify`, `validateApiKey`), the base64-encoded destination, and the misleading `x-app-request: ip-check` header form a cover story; the README is an unrelated hello-world text while the package name and description (`Sanitize your express payload without limitations`) impersonate the popular `express-mongo-sanitize` package. Both credential exfiltration and remote code execution fire automatically on default install.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / express-mongo-limit

No fixed version published yet for express-mongo-limit (npm). Pin to a known-safe version or switch to an alternative.

References