{"id":"MAL-2026-3763","summary":"Malicious code in exxpress-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dfa81f7c144d5feeea9c49254fbeec68f8271460d4a51efd5757a62b251c05f2)\nThe package declares `scripts.postinstall` pointing at `postinstall.js`, which runs automatically on `npm install`. The script performs three attacker-benefit actions concurrently: (1) reads `~/.npmrc`, `~/.env`, and `~/.git-credentials` and extracts npm `_authToken` / `npm_\u003c36\u003e` tokens, `NPM_TOKEN`, `NPM_AUTH_TOKEN`, `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `GITHUB_TOKEN`, and git URLs with embedded credentials; (2) enumerates Chrome / Brave / Edge / Chromium / Vivaldi / Opera profile directories under `Local Extension Settings/\u003cwalletId\u003e` for 71 hardcoded crypto-wallet extension IDs (MetaMask `nkbihfbeogaeaoehlefnkodbefgpgknn`, Phantom, Coinbase Wallet, Trust Wallet, Ledger, Trezor, etc.) and regex-scans their logs for vault/seed/mnemonic/privateKey/password patterns; (3) walks `~/Documents`, `~/Desktop`, `~/Downloads` for files matching crypto-keyword names and reads their contents. Harvested JSON is POSTed to the hardcoded C2 `http://149.28.127.35:8888` over plain HTTP via `http.request`. The package name is a double-x typosquat of `express`; the advertised purpose is 'utility helpers', `index.js` is a no-op stub whose `description` contradicts the package name ('Lodash JavaScript utilities bundle'), and `postinstall.js` contains self-incriminating header comments ('Token harvester + Crypto wallet scanner', 'Silent. Zero trace.'). Every structural fingerprint of a credential/wallet stealer is present: hardcoded C2 bound to `http.request` in a lifecycle hook, browser wallet-extension-ID lookup, seed-phrase directory scanner, and token-regex extraction from `~/.npmrc` / `~/.env` / `~/.git-credentials`.\n","modified":"2026-05-15T07:51:50.423105Z","published":"2026-05-14T19:25:05Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-15T07:37:16.611881698Z","id":"IN-MAL-2026-002688","versions":["2.0.0"],"modified_time":"2026-05-14T19:25:06Z","sha256":"08e76c5ca8cc5c0195c3de13bcbc5d0c24749a44d4b2247c4d806f030832de50","source":"amazon-inspector"},{"import_time":"2026-05-15T07:37:16.531634854Z","id":"IN-MAL-2026-002686","versions":["1.0.3"],"modified_time":"2026-05-14T19:25:05Z","sha256":"2d563e947aaa4be7d07bdcae318c2ed0573a845e5ab884a827caf504adb11e60","source":"amazon-inspector"},{"import_time":"2026-05-15T07:37:16.582226723Z","id":"IN-MAL-2026-002687","versions":["1.0.5"],"modified_time":"2026-05-14T19:25:06Z","sha256":"69b7c9d7f8fe0f24a8a5cda07380a442d770c177e41eefb6e207c2d81c0115db","source":"amazon-inspector"},{"import_time":"2026-05-15T07:37:16.467666897Z","id":"IN-MAL-2026-002685","versions":["1.0.2"],"modified_time":"2026-05-14T19:25:05Z","sha256":"dfa81f7c144d5feeea9c49254fbeec68f8271460d4a51efd5757a62b251c05f2","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-utils/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-utils/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-utils/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/exxpress-utils/v/1.0.2"}],"affected":[{"package":{"name":"exxpress-utils","ecosystem":"npm","purl":"pkg:npm/exxpress-utils"},"versions":["2.0.0","1.0.3","1.0.5","1.0.2"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"80522998b8be012e592385eba25f11100416fc477482fca8fbdd46449f4e24d39bb3bd","path":"postinstall.js","sha256":"d8352ed570f8674227e3a1b8e812d493724370d4fc69dbacdedbbb4584d75650"}],"package_integrity":[{"hashes":{"sha1":"a63db372fd483d42c5d2e32c6140c9e648347c94","sha512_sri":"sha512-2otnhN603t8zSzefbbmLdDXhhArxi1ZepnNMIkhJu0zXG6swW/F8mIcMtjvYGkmvvDiaw+c0OTakIVnp0MCoMA=="},"filename":"exxpress-utils-2.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-utils/MAL-2026-3763.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}