VYPR

npm · Malicious package advisory

Malware

express-plugin

MAL-2026-6523

Malicious code in express-plugin (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003)
On module load, index.js auto-invokes initPlugin(), which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's `cookie` field to `Function.constructor` with `require` exposed, then immediately invokes the resulting function. Any process that does `require('express-plugin')` executes arbitrary JavaScript pulled from a mutable third-party paste host with full Node `require` privileges, giving the operator of that paste full control of the installer's machine. The file is headed as `normalize-path (ES6 safe version)` and exports an unused normalizePath function as decoy; the package name `express-plugin` is cover framing intended to make the package look like a benign Express middleware. The remote payload is attacker-mutable: today's content can be swapped for credential theft, persistence, or any other action at any time without republishing the package.

Compromised versions (1)

  • 1.6.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.