{"id":"MAL-2026-10063","summary":"Malicious code in express-router-engine (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70)\nThe sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.\n","modified":"2026-07-09T21:16:56.297066139Z","published":"2026-07-09T15:55:17Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009285","source":"amazon-inspector","versions":["3.6.5"],"modified_time":"2026-07-09T15:55:17Z","import_time":"2026-07-09T16:20:57.377839426Z","sha256":"49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70"},{"source":"amazon-inspector","versions":["3.6.6"],"id":"IN-MAL-2026-009322","modified_time":"2026-07-09T16:50:00Z","import_time":"2026-07-09T17:19:23.681830894Z","sha256":"8ccf7c2321da04d59215e49cc91b2dc6da1cc66606ff968d968f397286f1ed3c"},{"versions":["3.6.7"],"id":"IN-MAL-2026-009323","source":"amazon-inspector","modified_time":"2026-07-09T16:50:10Z","import_time":"2026-07-09T17:19:23.829525114Z","sha256":"f8a4b520ba7169b1a71e922c24e8b5f70d7c5205b0c21b808fda327d907f0fe4"},{"versions":["3.6.8"],"id":"IN-MAL-2026-009401","source":"amazon-inspector","modified_time":"2026-07-09T20:46:50Z","import_time":"2026-07-09T21:03:51.095354131Z","sha256":"ff7183244d992f74d03d08e21630f71924ce0c3990ea3bdaadd47f0adc8c390f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-router-engine/v/3.6.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-router-engine/v/3.6.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-router-engine/v/3.6.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-router-engine/v/3.6.8"}],"affected":[{"package":{"name":"express-router-engine","ecosystem":"npm","purl":"pkg:npm/express-router-engine"},"versions":["3.6.5","3.6.6","3.6.7","3.6.8"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-router-engine/MAL-2026-10063.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-iz18+fsMQ6+psHCnfGToBJfTW4M6jFZmQO20RsqQUZVoUzXTShGBHz4tlJuO55lNSJeZcxRF1Ssd6wmpe3uAng==","sha1":"4cbee8284bfe88cc45a591125af5cf29c43641af"},"filename":"express-router-engine-3.6.5.tgz"}],"evidence_files":[{"path":"index.js","tlsh":"85b283c93fd1b4a05223b0f76a1ba5a5e1396c98b3cc8449f7e7f058fd58314e0a5b68","sha256":"d5fca13ecf8936e4be2201d722b131c67d6ec5cd5e4087e2189440c08ddf5f63"},{"path":"package.json","tlsh":"3ff020386a0500a705cb02a37ca0509aebb1cf4f25c17c0517a7c5b852d3f721dbe30c","sha256":"c2e9b31bc6e2f5b6f89fe2613078548b1f9b9e27abece5c3164d612a067eab1c"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}