{"id":"MAL-2026-6229","summary":"Malicious code in routecraft (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0)\nroutecraft@4.2.0 ships verbatim Express.js source (lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js — same layout, comments, and exports including createApplication, Router, and json/raw/text/urlencoded/static middleware) under a different package name and author with no Express attribution, presenting itself as an original 'lightweight HTTP routing framework'. package.json declares `\"preinstall\": \"node./lib/configure.js\"`. lib/configure.js performs no compilation despite logging '...Skipping native addon compilation' — the package ships no native sources (no binding.gyp, no.cc/.cpp/.rs files). Instead, lines 10-12 contain `if (os.platform() === 'win32' && v \u003e= 18) { require('procwire'); }`, conditionally loading the obscure `procwire` dependency (declared as `^1.3.0`) only on Windows with Node \u003e= 18. The false cover story, the platform gate, and the delegation of the executed code to an unpinned transitive dependency together form the standard pattern for shifting a malicious payload off the parent package so it appears clean while installers on Windows execute whatever procwire ships at install time.\n","modified":"2026-06-19T17:01:45.703587918Z","published":"2026-06-19T15:55:54Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007085","source":"amazon-inspector","modified_time":"2026-06-19T15:55:54Z","versions":["5.0.0"],"import_time":"2026-06-19T16:53:21.348902647Z","sha256":"35254023a0071db579346eebe9f0e355a847a6d7f4320f600354c220f00ba646"},{"import_time":"2026-06-19T16:53:21.405061587Z","source":"amazon-inspector","modified_time":"2026-06-19T15:57:50Z","id":"IN-MAL-2026-007086","versions":["4.2.0"],"sha256":"a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/routecraft/v/5.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/routecraft/v/4.2.0"}],"affected":[{"package":{"name":"routecraft","ecosystem":"npm","purl":"pkg:npm/routecraft"},"versions":["5.0.0","4.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/routecraft/MAL-2026-6229.json","indicators":{"evidence_files":[{"tlsh":"dae020cc9bfde556397526c6181602176555c0210e05d4d06534d1f57f90d7017a6df9","path":"lib/configure.js","sha256":"e0fb0ac2cd9a864482a63de72821462ad5e2fa3f73b9ea5229c49cee0d0bafc8"},{"tlsh":"5b31f0c7b5c0b2a917a375fc473ad1c16caed2fa6045d4ba40d4d2f82c8140dd385ed4","path":"lib/routecraft.js","sha256":"0ac99f23625ab512ad4170e1658a4e21f69359e01c89bd0dd507cec2c52e27e2"}],"package_integrity":[{"hashes":{"sha1":"db1b27737dd2d0cbbbbc792676be52a623911a15","sha512_sri":"sha512-Phu3S1BH9fDl7mrSe5euILuJkQl91/7pDl/fD51upMZAIyDw9tZC8Qu50tR0V4N0CM41A+71CiBhEcqIUiWrIw=="},"filename":"routecraft-5.0.0.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}