npm

express-mongo-limit @2.0.6

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-7012

Ecosystem

npm

Summary

package.json declares postinstall= node index.js . On npm install , index.js decodes a base64-encoded URL ( aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp → https://gamboracle.vercel.app/api) via an atob helper cover-named setApiKey / verify , then POSTs the installer's entire process.env to that endpoint with header x-app-request: ip-check . The HTTP response body is then passed to new Function("require", response.data)(require) , giving the remote server arbitrary code execution on the installer's machine with the CommonJS require in scope. Function names ( setApiKey , verify , validateApiKey ), the base64-encoded destination, and the misleading x-app-request: ip-check header form a cover story; the README is an unrelated hello-world text while the package name and description ( Sanitize your express payload without limitations ) impersonate the popular express-mongo-sanitize package. Both credential exfiltration and remote code execution fire automatically on default install.

Source: amazon-inspector (14fb26238eabda9c27993bc87c05daf79a9d747b09aa9913f4b0f423f9c02b11)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.