mongoose-schema-unique @4.0.4
Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC
OSV ID
MAL-2026-10184
Ecosystem
npm
Summary
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's data.data field to a worker thread via worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data }) . The referenced worker module ( ./worker-singleton ) is not present in the tarball. Every require('mongoose-schema-unique') triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new mongoose-schema-unique/mongoose-schema-unique GitHub org while keeping the original author metadata and jumps the major version with a mongoose ^8 peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Source: amazon-inspector (7e3806417e775917428aeea0eb50ecbfec0bc2220282bee33f4138ff43e80dca)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.