mongoose-schema-uniquenpm
Malicious code in mongoose-schema-unique (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
index.js runs an async IIFE at module load that performs an outbound fetch to https://www.jsonkeeper.com/b/XVHGD (an anonymous, mutable, public JSON-paste service) and forwards the response's data.data field to a worker thread via worker.postMessage({ type: 'RUN_ERROR_THREAD', payload: data.data }). The referenced worker module (./worker-singleton) is not present in the tarball. Every require('mongoose-schema-unique') triggers this fetch, and the paste host lets whoever controls the paste ID substitute new content at any time without a package release, so the payload dispatched into worker execution is attacker-mutable. The behavior is unrelated to the package's documented purpose (a Mongoose uniqueness-validation plugin). The 4.0.3 release also changes the repository URL to a new mongoose-schema-unique/mongoose-schema-unique GitHub org while keeping the original author metadata and jumps the major version with a mongoose ^8 peer dependency — consistent with a name/maintainer takeover of an established package used to ship an import-time remote-code delivery channel to downstream installers.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Malicious packageFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mongoose-schema-unique (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mongoose-schema-unique across your stack and pipelines.
If you installed it — respond
Remove mongoose-schema-unique from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If mongoose-schema-unique was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks mongoose-schema-unique before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks mongoose-schema-unique-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.