npm

mongoose-lean-hooks @0.5.7

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6797

Ecosystem

npm

Summary

On require('mongoose-lean-hooks') , the package's main entry (index.js) runs a top-level async IIFE that issues an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 with a bearer-style header. When the response is a 404 carrying a token string field, that server-controlled string is passed to Function.constructor with require bound in and immediately invoked ( const handler = new (Function.constructor)("require", res.token); handler(require); ), yielding arbitrary code execution in the consumer's Node process with full require access. The endpoint, path, and header token are hidden in test/config_test.js under a module.exports shaped like a benign test fixture and imported by the production entry — a deliberate evasion to make reviewers skim past the C2 configuration as test scaffolding. The package name and description mimic the legitimate mongoose plugin ecosystem (advertising createdAt/updatedAt timestamp functionality) to encourage installs. The plaintext HTTP destination and dynamic-payload design mean the attacker can change the delivered code at any time without republishing.

Source: amazon-inspector (540ace1cb8bc936ea953554a9ffc28203370f82cb5e5a7dfbf1454bf0e834b9a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.