OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7012 confirms this npm version as malicious. package.json declares postinstall=`node index.js`. On `npm install`, index.js decodes a base64-encoded URL (`aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp` → https://gamboracle.vercel.app/api) via an `atob` helper cover-named `setApiKey`/`verify`, then POSTs the installer's entire `process.env` to that endpoint with header `x-app-request: ip-check`...
Advisory
MAL-2026-7012
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-mongo-limit (npm)
Details
package.json declares postinstall=`node index.js`. On `npm install`, index.js decodes a base64-encoded URL (`aHR0cHM6Ly9nYW1ib3JhY2xlLnZlcmNlbC5hcHAvYXBp` → https://gamboracle.vercel.app/api) via an `atob` helper cover-named `setApiKey`/`verify`, then POSTs the installer's entire `process.env` to that endpoint with header `x-app-request: ip-check`. The HTTP response body is then passed to `new Function("require", response.data)(require)`, giving the remote server arbitrary code execution on the installer's machine with the CommonJS `require` in scope. Function names (`setApiKey`, `verify`, `validateApiKey`), the base64-encoded destination, and the misleading `x-app-request: ip-check` header form a cover story; the README is an unrelated hello-world text while the package name and description (`Sanitize your express payload without limitations`) impersonate the popular `express-mongo-sanitize` package. Both credential exfiltration and remote code execution fire automatically on default install.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-mongo-limit@2.0.2 as malicious (MAL-2026-7012): Malicious code in express-mongo-limit (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory