npm · Malicious package advisory
Malwareexpress-ini
MAL-2026-10505
Malicious code in express-ini (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3) package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, child_process and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via child_process.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
Compromised versions (1)
- 12.1.10
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.