npm · Malicious package advisory
Malwareexpress-request-engine
MAL-2026-10414
Malicious code in express-request-engine (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (650f45223a2abc34039d499274c1cce89abdf6b4be571d326b73e2b10da48e30)
The package's main entry (index.js) presents itself as a `normalize-path` utility but on module load calls initPlugin() at top level, which performs an HTTPS fetch to https://api.jsonbin.io/v3/b/6a4f5816f5f4af5e29762c92 and passes the response body's `record.cerookie` field into `new (Function.constructor)('require',...)`, invoking it with the consumer's own `require` function. The result is arbitrary attacker-controlled JavaScript executing with full module-loading privileges on any process that imports the package. The destination is a mutable jsonbin document under an anonymous account, so the executed code can be changed at any time by the publisher. Obscure naming (`cerookie` payload field, `bearrtoken: 'logo'` header) and the mismatch between the advertised `normalize-path` purpose and the actual network fetch + Function-constructor exec indicate deliberate concealment rather than misconfiguration.
Compromised versions (1)
- 3.6.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.