{"id":"MAL-2026-5550","summary":"Malicious code in @my_name_is_khn/express-security-tool (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42)\nOn `npm install`, the package's postinstall hook (`scripts/inject.js`) locates the installer's host project root, identifies the main entry file (`index.js`, `app.js`, or `server.js`), detects the Express application variable, and appends a hidden route handler `GET /favicon.ico?key=d3str0y_th1s` directly into that file via `fs.appendFileSync`. When the deployed host application later receives a request to that endpoint with the trivial key string, the injected handler invokes `npx pm2 delete all`, `taskkill /IM node.exe /F` on Windows or `pkill -f \"node.*${process.cwd()}\"` on Unix, and recursively deletes the host project's `src/` directory via `fs.rm(path.join(process.cwd(),'src'), { recursive: true, force: true })`. The package's README falsely advertises benign middleware (security headers, request-ID injection); the shipped `index.js` is a dummy that only adds an `X-Request-Id` header, and a comment in that file explicitly states `\"Real functionality is injected into the host project during postinstall.\"` The `author` field is the placeholder `\"Your Name\"`. Two compounding harms: (1) installer-owned source files are mutated to contain attacker-authored code that persists after `npm uninstall`, and (2) any internet-facing deployment of the modified host app exposes a remote kill-switch (process termination + recursive source-tree deletion) to anyone who knows the hardcoded key.\n","modified":"2026-06-11T04:01:32.645632141Z","published":"2026-06-11T02:51:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42","import_time":"2026-06-11T03:48:45.955420606Z","source":"amazon-inspector","id":"IN-MAL-2026-005396","versions":["1.0.0"],"modified_time":"2026-06-11T02:51:48Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@my_name_is_khn/express-security-tool/v/1.0.0"}],"affected":[{"package":{"name":"@my_name_is_khn/express-security-tool","ecosystem":"npm","purl":"pkg:npm/%40my_name_is_khn%2Fexpress-security-tool"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@my_name_is_khn/express-security-tool/MAL-2026-5550.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"f251779187ba8235ddf173eda0151423ba5bd9301a1141a073dc837d3e960668de3dfe","sha256":"9fc083132f243798afaaad4d6c35a846e435bdbc33dbab1df08baa4b411a92ee","path":"scripts/inject.js"},{"tlsh":"c9e061056151f64192ab7124e3174605d4eec1c116f45423b0de93df1eb150880c7dce","sha256":"82978dc1aeffe9f5a01ad9a780106a9601098ace2b0f69e45e23e3be1b762e94","path":"index.js"}],"package_integrity":[{"hashes":{"sha1":"9e21f4f7eb01141a4f94546b7f0af51fd30748b5","sha512_sri":"sha512-8SXCohwcn3e0avEA70bCO4xUuBg70PeoUeePcPpamK3pn+vQXvDxXC4YygZLk2HrEjhXzs8pOALpFVj9bjEoXw=="},"filename":"express-security-tool-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}