mongoose-lean-hooks @0.5.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-6797
Ecosystem
npm
Summary
On require('mongoose-lean-hooks') , the package's main entry (index.js) runs a top-level async IIFE that issues an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 with a bearer-style header. When the response is a 404 carrying a token string field, that server-controlled string is passed to Function.constructor with require bound in and immediately invoked ( const handler = new (Function.constructor)("require", res.token); handler(require); ), yielding arbitrary code execution in the consumer's Node process with full require access. The endpoint, path, and header token are hidden in test/config_test.js under a module.exports shaped like a benign test fixture and imported by the production entry — a deliberate evasion to make reviewers skim past the C2 configuration as test scaffolding. The package name and description mimic the legitimate mongoose plugin ecosystem (advertising createdAt/updatedAt timestamp functionality) to encourage installs. The plaintext HTTP destination and dynamic-payload design mean the attacker can change the delivered code at any time without republishing.
Source: amazon-inspector (540ace1cb8bc936ea953554a9ffc28203370f82cb5e5a7dfbf1454bf0e834b9a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.