npm · Malicious package advisory
Malwareexpress-mocha-test
MAL-2026-6568
Malicious code in express-mocha-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (01d87351be0d9f68d73ec05867e55fe5712d4885fa76c70c5ec9b003ef512825)
express-mocha-test@0.0.1 declares a postinstall lifecycle hook that loads the package's main module, which calls fetch() against an anonymous ngrok-free.app tunnel (https://2939e69fc408.ngrok-free.app/stats) and passes the response body directly to eval(). This executes attacker-controlled JavaScript on any machine that runs `npm install` for this package, with no pinning, integrity check, or scoping. The destination is an ephemeral, mutable, attacker-operated tunnel — not a registry, not a publisher domain. Package metadata impersonates well-known maintainers of the express and mocha projects (author field set to 'TJ Holowaychuk'), and the stated description ('Integrate redis with cookies') does not match the shipped behavior, indicating deliberate impersonation rather than misconfiguration.
## Source: ossf-package-analysis (29f25ba9eae37a7b135fdd249bed8152a0eef931ba2934f5cb08ed07638ffb88)
The OpenSSF Package Analysis project identified 'express-mocha-test' @ 0.0.1 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.