{"id":"MAL-2026-3762","summary":"Malicious code in exxpress-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (378e423b00c08a371fbae1c77360685d2277e502e9875caa53fb20f58a39f396)\nThe package name `exxpress-tool` is a one-character edit of the widely-used `express` package. On `npm install`, the declared `scripts.postinstall` runs `postinstall.js`, which reads `~/.npmrc` (extracting `_authToken` and `npm_[A-Za-z0-9]{36}` tokens), `~/.git-credentials`, and `~/.env` (matching env-var names against token/secret/password/api/aws/azure/gcp/stripe/slack patterns and EVM private-key shapes), bundles the results together with `os.hostname()` and `os.userInfo()`, and POSTs the JSON to the hardcoded bare-IP endpoint `http://149.28.127.35:8888` over plain HTTP. The same script iterates a hardcoded list of ~71 Chrome/Brave/Edge crypto-wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, Trust, Exodus, Ledger Live, Trezor, etc.), reads each wallet's `Local Extension Settings` LevelDB `.log` files, and regex-matches on `vault`, `mnemonic`, `seed`, `privateKey`, `encrypted`. It also recursively walks `~/Documents`, `~/Desktop`, `~/Downloads`, `~/OneDrive`, `~/Dropbox`, and `~/Google Drive` searching for BIP-39 seed phrases and `0x`-prefixed private keys. The advertised library code (`index.js`) is an empty stub; the author's own in-source comments (`The real payload is in postinstall.js`, `Silent. Zero trace.`, `Token harvester + Crypto wallet scanner`) confirm intent. Any developer or CI environment that installs this package will have npm publish tokens, git credentials, environment secrets, and browser wallet data shipped to the attacker.\n","modified":"2026-05-15T07:51:49.586556Z","published":"2026-05-14T19:25:49Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-15T07:37:19.354581629Z","source":"amazon-inspector","modified_time":"2026-05-14T19:25:50Z","sha256":"070d78eff6164cdeada249e08628e36f876389ee402c2d561be8e0e7dd131310","id":"IN-MAL-2026-002761","versions":["1.0.0"]},{"import_time":"2026-05-15T07:37:19.501041282Z","source":"amazon-inspector","modified_time":"2026-05-14T19:25:59Z","sha256":"378e423b00c08a371fbae1c77360685d2277e502e9875caa53fb20f58a39f396","id":"IN-MAL-2026-002772","versions":["1.0.5"]},{"import_time":"2026-05-15T07:37:19.314041988Z","source":"amazon-inspector","modified_time":"2026-05-14T19:25:49Z","sha256":"5c2f0be4715c05e6da80dc17203b6c4707729f4d622cb3247d33f164d93e4ba1","id":"IN-MAL-2026-002760","versions":["1.0.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-tool/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-tool/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-tool/v/1.0.2"}],"affected":[{"package":{"name":"exxpress-tool","ecosystem":"npm","purl":"pkg:npm/exxpress-tool"},"versions":["1.0.0","1.0.5","1.0.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-tool/MAL-2026-3762.json","indicators":{"package_integrity":[{"filename":"exxpress-tool-1.0.0.tgz","hashes":{"sha1":"98aab45c427ed544a115348e9648e14b1bd8cdb1","sha512_sri":"sha512-jCzO9BzZ/sIRO8YFJZEcy707vaDhVK6eibsvBREEP8dGOqtRreWUhWLArnpu5Ngxun63SiWLMpM0XHfrsJpQag=="}}],"evidence_files":[{"sha256":"6a5dffd7836eec6f4271dac9ba85466a40bc98ca2b7609172dfce52d0cb70246","tlsh":"f4a165d558a068145dab82e53747b020ae15e183370eddf0f74c0aa48fc0e69e5f3bda","path":"postinstall.js"},{"sha256":"4952198f5ad13e5dbefe4eef738b2b8da9faaddf70a6f6b01f93d767cd42f2f5","tlsh":"94e0c2208e628a3334c05a531e5b464965714a870044bc0837d7157c4b9e3b648fe21e","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}