npm · Malicious package advisory
Malwaremongoose-schema-unique
MAL-2026-10184
Malicious code in mongoose-schema-unique (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (7e3806417e775917428aeea0eb50ecbfec0bc2220282bee33f4138ff43e80dca)
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's `data.data` field to a worker thread via `worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data })`. The referenced worker module (`./worker-singleton`) is not present in the tarball. Every `require('mongoose-schema-unique')` triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new `mongoose-schema-unique/mongoose-schema-unique` GitHub org while keeping the original author metadata and jumps the major version with a `mongoose ^8` peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Compromised versions (3)
- 4.0.4
- 4.0.3
- 4.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.