npm · Malicious package advisory
Malwareroutecraft
MAL-2026-6229
Malicious code in routecraft (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0)
routecraft@4.2.0 ships verbatim Express.js source (lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js — same layout, comments, and exports including createApplication, Router, and json/raw/text/urlencoded/static middleware) under a different package name and author with no Express attribution, presenting itself as an original 'lightweight HTTP routing framework'. package.json declares `"preinstall": "node./lib/configure.js"`. lib/configure.js performs no compilation despite logging '...Skipping native addon compilation' — the package ships no native sources (no binding.gyp, no.cc/.cpp/.rs files). Instead, lines 10-12 contain `if (os.platform() === 'win32' && v >= 18) { require('procwire'); }`, conditionally loading the obscure `procwire` dependency (declared as `^1.3.0`) only on Windows with Node >= 18. The false cover story, the platform gate, and the delegation of the executed code to an unpinned transitive dependency together form the standard pattern for shifting a malicious payload off the parent package so it appears clean while installers on Windows execute whatever procwire ships at install time.
## Source: ghsa-malware (1d59be835e0f7c6030e248343fc25d7d5044225a02c021b588faa736bf204170)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (2)
- 5.0.0
- 4.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.