{"id":"MAL-2026-5555","summary":"Malicious code in express-timer (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683)\nexpress-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load:\n\n1. Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler `app.get('/robots.txt', (req, res) =\u003e { if (req.query.verify === 'destroy') { _boom();... } })`. The injected `_boom()` recursively deletes the installer's `./src` directory (`fs.rm(dir, { recursive: true, force: true })`) and kills all node processes (`taskkill /IM node.exe /F` on Windows, `pkill -f \"node.*\u003ccwd\u003e\"` on Unix). Any remote actor who hits `GET /robots.txt?verify=destroy` on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after `npm uninstall`.\n\n2. Auto-scheduled destruction on require (index.js): `package.json` sets `main: index.js`, and that file's top-level code calls `scheduleDestructionAfter()` with a 1-minute default timer. After 60 seconds, it executes `rm -rf \u003ccwd\u003e/src` (Unix `execSync`) or the equivalent `fs.rm` on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard.\n\n3. Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials (`USER=mohiuddin767272@gmail.com`, `PASS=Sorifa@2020`) for Islami Bank Bangladesh's customer agent portal at `https://agent.islamibankbd.com`, used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package.\n\nSupporting context: `package.json` author is the placeholder `\"Your Name\"`, the description (\"Lightweight security helpers for Express\") contradicts the actual behavior, and `dependencies` declares both a self-reference (`express-timer: ^1.0.0`) and a revealing sibling `express-self-destruct1`.\n","modified":"2026-06-11T04:01:29.224078265Z","published":"2026-06-11T02:51:05Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.1"],"id":"IN-MAL-2026-005395","modified_time":"2026-06-11T02:51:34Z","sha256":"10e5427085b867032f1b16630f04e82e89945022633c39475f30c7855b0fe76f","import_time":"2026-06-11T03:48:45.85439911Z"},{"source":"amazon-inspector","versions":["1.0.4"],"id":"IN-MAL-2026-005392","modified_time":"2026-06-11T02:51:22Z","sha256":"6bc13771ab814ced3a28c13a753e6c12a6c1cf760883f034a5a02a867b4ffc8d","import_time":"2026-06-11T03:48:45.492863604Z"},{"source":"amazon-inspector","versions":["1.0.2"],"id":"IN-MAL-2026-005394","modified_time":"2026-06-11T02:51:30Z","import_time":"2026-06-11T03:48:45.727302846Z","sha256":"7c2b03ef5914ee50d649906c3c1607f9a02334a73b93da3f198ec936a43e4fa7"},{"modified_time":"2026-06-11T02:51:26Z","versions":["1.0.3"],"id":"IN-MAL-2026-005393","source":"amazon-inspector","import_time":"2026-06-11T03:48:45.604303234Z","sha256":"18332a53ad8e0030325aea1b7bbdc537a1ee4112d4ed73e464d5181369ee4509"},{"source":"amazon-inspector","versions":["1.0.5"],"id":"IN-MAL-2026-005391","modified_time":"2026-06-11T02:51:17Z","import_time":"2026-06-11T03:48:45.36592228Z","sha256":"19d2dea0d7ac642b1921e0ac1bab9fa5ac543437d783764952da75a4b1fba33b"},{"source":"amazon-inspector","versions":["1.0.6"],"id":"IN-MAL-2026-005390","modified_time":"2026-06-11T02:51:05Z","sha256":"5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683","import_time":"2026-06-11T03:48:45.264878524Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-timer/v/1.0.6"}],"affected":[{"package":{"name":"express-timer","ecosystem":"npm","purl":"pkg:npm/express-timer"},"versions":["1.0.1","1.0.4","1.0.2","1.0.3","1.0.5","1.0.6"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-uKZilAXCZfBrfjJ0AuuCEpfQ4K9rTDjD6Kz5J9yiWSBsciQzS0CRPR/6vnI25gUHr3ouqWXS4GBSnt7wM5JstA==","sha1":"3edb798ac8f379e8c6294446213a8bda504e10cd"},"filename":"express-timer-1.0.1.tgz"}],"evidence_files":[{"tlsh":"c7513254c67a4231eef277fd622a0416ba5bd831365151e0b2dc817d3f9247148e2efe","path":"scripts/inject.js","sha256":"b1970350a7bc69bef9cf4061fd46571d344e2c11dde87f0e69ea28e983340eae"},{"path":"index.js","tlsh":"ab1271267cfd60b355f1caa1562b0053f86b8217876cd21936adc36a0fb4158463fdaf","sha256":"a7e860721fb8d25ad3f46fdb65e0444752f294ee9673c3b9c9480eec4ab432d8"},{"tlsh":"13f08c35a814997711faa6a76c754286b1610f1b11a4dc0e32ba00a88b6265708aefe8","path":"package.json","sha256":"17a21d8755595e763dd71b93d3cf4ccb12f9a2f9abc7fd0bcf16decdcb93e39d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-timer/MAL-2026-5555.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}