registry  /  express-mongo-limit  /  2.0.3

express-mongo-limit@2.0.3

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7012 confirms this npm version as malicious. The package advertises itself as an Express/Mongo payload sanitizer but its postinstall hook (`node index.js`) globally installs pm2, clipboardy, and screenshot-desktop, then runs `pm2 start service.js`, `pm2 save`, and `pm2 startup` to persist a background service across reboots on the installer's machine. The persisted service (`service.js`) polls the system clipboard once per second and, when it detects an...

Advisory
MAL-2026-7012
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-mongo-limit (npm)
Details
The package advertises itself as an Express/Mongo payload sanitizer but its postinstall hook (`node index.js`) globally installs pm2, clipboardy, and screenshot-desktop, then runs `pm2 start service.js`, `pm2 save`, and `pm2 startup` to persist a background service across reboots on the installer's machine. The persisted service (`service.js`) polls the system clipboard once per second and, when it detects an ETH/BSC, BTC, Solana, or Tron address, replaces it with hardcoded attacker wallets (ETH 0x62Fc857DE5469fDd81F57F309c2fb000cad7bbbb, BTC bc1q8tzzpun6rd45s6fgar2up8nfelt4u2r2h999cc, SOL 6A7vQWJveJBWP78oktAjoZbMakrCAQyLphJ5Kswy5xA4, TRX TUqk5th1eXZWrt1arsqpxZ3frqaCxc9Lr4) to redirect cryptocurrency transfers. A sibling `app.js` runs an infinite 2-second loop that captures the desktop via screenshot-desktop and emails each screenshot via nodemailer through a Gmail account (daniattacker@gmail.com); the app password is a placeholder in this version but the harvesting and delivery framework is fully wired. `config/auth.js` also exports a `verify()` helper that POSTs the entire `process.env` to a base64-obfuscated Vercel endpoint (gamboracle.vercel.app/api; a second endpoint ipcheck-six.vercel.app/api is stored in `.env`), with an `atob`-based decoder used to hide the destinations. The package name and description mimic the widely-used `express-mongo-sanitize` while the README is an unrelated `hello-world-package` stub, indicating the metadata is a lure. Installation on a default `npm install` triggers persistent RCE, clipboard-based crypto theft, desktop screenshot exfiltration, and provides an env-var exfiltration primitive to attacker-controlled endpoints.
Decision reason
OpenSSF Malicious Packages via OSV confirms express-mongo-limit@2.0.3 as malicious (MAL-2026-7012): Malicious code in express-mongo-limit (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory