VYPR

npm · Malicious package advisory

Malware

express-router-engine

MAL-2026-10063

Malicious code in express-router-engine (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70)
The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.

Compromised versions (4)

  • 3.6.5
  • 3.6.6
  • 3.6.7
  • 3.6.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.