Which versions of finup-mongo-library are malicious?

The following npm versions of finup-mongo-library are flagged malicious: 3.9.9, 4.0.1, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.9, 4.1.2, 4.1.3. Treat any of these as compromised.

How do I remediate finup-mongo-library if I installed it?

Remove finup-mongo-library from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect finup-mongo-library in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking finup-mongo-library and packages like it before any post-install script runs.

Malicious package

finup-mongo-librarynpm

Malicious code in finup-mongo-library (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4564

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall finup-mongo-library

What this malware does

dist/common/instrument.js calls Sentry.init() at module top level with a hardcoded DSN pointing at the author's Sentry project (o4511257159139328.ingest.us.sentry.io/4511257262161920), with tracesSampleRate and profilesSampleRate both set to 1.0. Because dist/index.js re-exports this module via __exportStar, any consumer that does require('finup-mongo-library') (or imports it in a NestJS app, the package's stated purpose) globally configures the Sentry SDK singleton in their Node.js process. From that point onward, all uncaught exceptions, performance traces, and profiles produced by the consumer's application — which routinely include stack frames, source file paths, request URLs, query parameters, and incidental PII captured in error context — are shipped to a Sentry account the author controls, with no caller opt-in and no documented disclosure. This is a silent-relay shape: the destination is hardcoded by the author, the trigger is module import, and the data flowing out is the consumer's application telemetry, not the package's own. A separately-shipped HttpExceptionFilter additionally POSTs request bodies to a Telegram bot URL, but that destination is read from consumer env vars, so it is opt-in and not part of the relay finding.

Malicious versions

9 flagged

3.9.94.0.14.0.44.0.54.0.64.0.74.0.94.1.24.1.3

Indicators of compromise (SHA-256)

0ebcd2feb8924949312b4c4060c51256c9a62edc9793243b8f00f5dbf6bcc747

1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39

c0b86b47904b349a2e1215249ecac574cf16e96af29ca368ec929ae9ecaac151

d20ccd8aeb5a7189ddbf4b3aa9806035fad27f0e07796f5a051e2293c06a770d

0b82a9d3071d50ffb4b6280c9ddd502995f71e2d649378921a74693caea37c68

268d4a1df99e96db1ebec9a5a8da35d9ba246fdbe387f95eb91bef21e3f8634f

8cb587efe462ac7a330bc0ba14e2938d0f3ece61c968b2ac35a8c65b1338889e

8dc70de904401a2a736376ce397178431485e593f654c341fd1ac3b46b553c63

9cc68edfd3f754d1c8a3c655575082875be153edcef13f8a28f497c6474761aa

Frequently asked questions

No. finup-mongo-library on npm has been identified as a malicious package (versions 3.9.9, 4.0.1, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.9, 4.1.2, and 1 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004181IN-MAL-2026-003805IN-MAL-2026-006075IN-MAL-2026-006076IN-MAL-2026-006079IN-MAL-2026-006077IN-MAL-2026-006074IN-MAL-2026-006073IN-MAL-2026-006078

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection