VYPR

npm · Malicious package advisory

Malware

express-timer

MAL-2026-5555

Malicious code in express-timer (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683)
express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load:

1. Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler `app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } })`. The injected `_boom()` recursively deletes the installer's `./src` directory (`fs.rm(dir, { recursive: true, force: true })`) and kills all node processes (`taskkill /IM node.exe /F` on Windows, `pkill -f "node.*<cwd>"` on Unix). Any remote actor who hits `GET /robots.txt?verify=destroy` on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after `npm uninstall`.

2. Auto-scheduled destruction on require (index.js): `package.json` sets `main: index.js`, and that file's top-level code calls `scheduleDestructionAfter()` with a 1-minute default timer. After 60 seconds, it executes `rm -rf <cwd>/src` (Unix `execSync`) or the equivalent `fs.rm` on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard.

3. Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials (`USER=mohiuddin767272@gmail.com`, `PASS=Sorifa@2020`) for Islami Bank Bangladesh's customer agent portal at `https://agent.islamibankbd.com`, used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package.

Supporting context: `package.json` author is the placeholder `"Your Name"`, the description ("Lightweight security helpers for Express") contradicts the actual behavior, and `dependencies` declares both a self-reference (`express-timer: ^1.0.0`) and a revealing sibling `express-self-destruct1`.

Compromised versions (6)

  • 1.0.1
  • 1.0.4
  • 1.0.2
  • 1.0.3
  • 1.0.5
  • 1.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.