VYPR

npm · Malicious package advisory

Malware

mongoose-schema-unique

MAL-2026-10184

Malicious code in mongoose-schema-unique (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7e3806417e775917428aeea0eb50ecbfec0bc2220282bee33f4138ff43e80dca)
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's `data.data` field to a worker thread via `worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data })`. The referenced worker module (`./worker-singleton`) is not present in the tarball. Every `require('mongoose-schema-unique')` triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new `mongoose-schema-unique/mongoose-schema-unique` GitHub org while keeping the original author metadata and jumps the major version with a `mongoose ^8` peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.

Compromised versions (3)

  • 4.0.4
  • 4.0.3
  • 4.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.