registry  /  mongoose-schema-unique  /  4.0.2

mongoose-schema-unique@4.0.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10184 confirms this npm version as malicious. index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's `data.data` field to a worker thread via `worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data })`. The referenced worker module (`./worker-singleton`) is not present in the tarball...

Advisory
MAL-2026-10184
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in mongoose-schema-unique (npm)
Details
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's `data.data` field to a worker thread via `worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data })`. The referenced worker module (`./worker-singleton`) is not present in the tarball. Every `require('mongoose-schema-unique')` triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new `mongoose-schema-unique/mongoose-schema-unique` GitHub org while keeping the original author metadata and jumps the major version with a `mongoose ^8` peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Decision reason
OpenSSF Malicious Packages via OSV confirms mongoose-schema-unique@4.0.2 as malicious (MAL-2026-10184): Malicious code in mongoose-schema-unique (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory