npm · Malicious package advisory
Malware@my_name_is_khn/express-security-tool
MAL-2026-5550
Malicious code in @my_name_is_khn/express-security-tool (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42)
On `npm install`, the package's postinstall hook (`scripts/inject.js`) locates the installer's host project root, identifies the main entry file (`index.js`, `app.js`, or `server.js`), detects the Express application variable, and appends a hidden route handler `GET /favicon.ico?key=d3str0y_th1s` directly into that file via `fs.appendFileSync`. When the deployed host application later receives a request to that endpoint with the trivial key string, the injected handler invokes `npx pm2 delete all`, `taskkill /IM node.exe /F` on Windows or `pkill -f "node.*${process.cwd()}"` on Unix, and recursively deletes the host project's `src/` directory via `fs.rm(path.join(process.cwd(),'src'), { recursive: true, force: true })`. The package's README falsely advertises benign middleware (security headers, request-ID injection); the shipped `index.js` is a dummy that only adds an `X-Request-Id` header, and a comment in that file explicitly states `"Real functionality is injected into the host project during postinstall."` The `author` field is the placeholder `"Your Name"`. Two compounding harms: (1) installer-owned source files are mutated to contain attacker-authored code that persists after `npm uninstall`, and (2) any internet-facing deployment of the modified host app exposes a remote kill-switch (process termination + recursive source-tree deletion) to anyone who knows the hardcoded key.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.