npm · Malicious package advisory
Malwareexpress-initial
MAL-2026-6543
Malicious code in express-initial (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095)
package.json declares `"postinstall": "node index.js"`, so `npm install express-initial` automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts via `crypto.createDecipheriv('aes-256-...', <sha256-derived key>, Buffer.from(iv,'base64'))`, writes the decrypted bytes into `path.join(os.tmpdir(), <name>)` with flag 'w+', and immediately invokes the dropped file via `child_process.exec`/`execFile` with `windowsHide: true`. This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popular `express` framework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper.
## Source: ghsa-malware (7e5efd40dc0c1b6d6087636366132ffd18b77da665b9984fddb61c9bb72a80de)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (4)
- 12.1.9
- 12.1.10
- 12.1.8
- 12.1.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.