Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

mongoose-schema-uniquenpm

Malicious code in mongoose-schema-unique (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-10184
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall mongoose-schema-unique

What this malware does

index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's data.data field to a worker thread via worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data }). The referenced worker module (./worker-singleton) is not present in the tarball. Every require('mongoose-schema-unique') triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new mongoose-schema-unique/mongoose-schema-unique GitHub org while keeping the original author metadata and jumps the major version with a mongoose ^8 peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.

Malicious versions

3 flagged
4.0.24.0.34.0.4

Indicators of compromise (SHA-256)

7ce7507c96fde82f5149a4d2277846bd6a257d188b3253b772b7e84a4484940d
7e3806417e775917428aeea0eb50ecbfec0bc2220282bee33f4138ff43e80dca
ae9339a874c589bcd7c0df518d00927173946d905da93f1b6fd5d97b5c9c787e

Detection & response playbook

Malicious package
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mongoose-schema-unique (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mongoose-schema-unique across your stack and pipelines.

  2. If you installed it — respond

    Remove mongoose-schema-unique from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If mongoose-schema-unique was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks mongoose-schema-unique before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. mongoose-schema-unique on npm has been identified as a malicious package (versions 4.0.2, 4.0.3, 4.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009722IN-MAL-2026-009721IN-MAL-2026-009725

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks mongoose-schema-unique-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.