mongoose-json-format @3.0.1
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:48 PM UTC
OSV ID
MAL-2026-6499
Ecosystem
npm
Summary
On require(), helpers.js instantiates a Helper whose constructor invokes createLog(). createLog() base64-decodes the string assigned to HASH_KEY (decoding to https://www.jsonkeeper.com/b/XVHGD, an anonymous mutable JSON paste host), fetches that URL, and passes the response body's data.data field as threadContent to createLogger() from the log-format-thread dependency. The package's advertised purpose is formatting Mongoose JSON output; there is no legitimate reason for it to retrieve content from a paste host at import time. The URL is hidden via base64 and given the misleading name HASH_KEY. Because jsonkeeper.com content is attacker-mutable and the fetched bytes are handed to a dependency for processing, any consumer that require()s this package becomes a vehicle for arbitrary attacker-controlled content delivered at import time.
Source: amazon-inspector (2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.