MAL-2026-6499: Malicious code in mongoose-json-format (npm)
The npm package mongoose-json-format version 3.0.1 contains malicious code that fetches attacker-controlled content from an anonymous mutable JSON paste host at import time. This behavior is unexpected for a package intended to format Mongoose JSON output. The package base64-decodes a hidden URL and retrieves data which is then processed by a dependency, enabling arbitrary attacker-controlled content execution during require().
AI Analysis
Technical Summary
The mongoose-json-format package (version 3.0.1) includes code in helpers.js that, upon require(), instantiates a Helper object whose constructor calls createLog(). This function base64-decodes a string named HASH_KEY to obtain a URL (https://www.jsonkeeper.com/b/XVHGD) pointing to an anonymous mutable JSON paste host. The package fetches this URL and passes the response's data.data field to createLogger() from the log-format-thread dependency. Since the content at jsonkeeper.com is attacker-mutable, this allows arbitrary attacker-controlled content to be delivered and processed at import time, effectively turning any consumer of this package into a vehicle for executing malicious content.
Potential Impact
Any application that includes mongoose-json-format version 3.0.1 as a dependency and requires it will execute attacker-controlled content fetched at runtime from a mutable external source. This can lead to arbitrary code execution or other malicious behaviors depending on the content delivered and how the downstream dependency processes it. The malicious behavior occurs immediately upon import, making it a supply chain risk.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using mongoose-json-format version 3.0.1. Since this is a malicious package, removing it from dependencies and replacing it with a trusted alternative is recommended. Monitor vendor advisories for any updates or fixes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
MAL-2026-6499: Malicious code in mongoose-json-format (npm)
Description
The npm package mongoose-json-format version 3.0.1 contains malicious code that fetches attacker-controlled content from an anonymous mutable JSON paste host at import time. This behavior is unexpected for a package intended to format Mongoose JSON output. The package base64-decodes a hidden URL and retrieves data which is then processed by a dependency, enabling arbitrary attacker-controlled content execution during require().
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The mongoose-json-format package (version 3.0.1) includes code in helpers.js that, upon require(), instantiates a Helper object whose constructor calls createLog(). This function base64-decodes a string named HASH_KEY to obtain a URL (https://www.jsonkeeper.com/b/XVHGD) pointing to an anonymous mutable JSON paste host. The package fetches this URL and passes the response's data.data field to createLogger() from the log-format-thread dependency. Since the content at jsonkeeper.com is attacker-mutable, this allows arbitrary attacker-controlled content to be delivered and processed at import time, effectively turning any consumer of this package into a vehicle for executing malicious content.
Potential Impact
Any application that includes mongoose-json-format version 3.0.1 as a dependency and requires it will execute attacker-controlled content fetched at runtime from a mutable external source. This can lead to arbitrary code execution or other malicious behaviors depending on the content delivered and how the downstream dependency processes it. The malicious behavior occurs immediately upon import, making it a supply chain risk.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using mongoose-json-format version 3.0.1. Since this is a malicious package, removing it from dependencies and replacing it with a trusted alternative is recommended. Monitor vendor advisories for any updates or fixes. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6499
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7c927e9c79719000266
Added to database: 06/26/2026, 22:06:01 UTC
Last enriched: 06/26/2026, 22:36:27 UTC
Last updated: 06/26/2026, 22:36:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.