npm · Malicious package advisory
Malwareexpress-router-engine
MAL-2026-10063
Malicious code in express-router-engine (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70) The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.
Compromised versions (4)
- 3.6.5
- 3.6.6
- 3.6.7
- 3.6.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.