{"id":"MAL-2026-6523","summary":"Malicious code in express-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003)\nOn module load, index.js auto-invokes initPlugin(), which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's `cookie` field to `Function.constructor` with `require` exposed, then immediately invokes the resulting function. Any process that does `require('express-plugin')` executes arbitrary JavaScript pulled from a mutable third-party paste host with full Node `require` privileges, giving the operator of that paste full control of the installer's machine. The file is headed as `normalize-path (ES6 safe version)` and exports an unused normalizePath function as decoy; the package name `express-plugin` is cover framing intended to make the package look like a benign Express middleware. The remote payload is attacker-mutable: today's content can be swapped for credential theft, persistence, or any other action at any time without republishing the package.\n","modified":"2026-06-26T15:16:36.295026277Z","published":"2026-06-26T14:35:03Z","database_specific":{"malicious-packages-origins":[{"sha256":"183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003","versions":["1.6.6"],"source":"amazon-inspector","import_time":"2026-06-26T14:59:21.375612638Z","id":"IN-MAL-2026-007607","modified_time":"2026-06-26T14:35:03Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-plugin/v/1.6.6"}],"affected":[{"package":{"name":"express-plugin","ecosystem":"npm","purl":"pkg:npm/express-plugin"},"versions":["1.6.6"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-plugin/MAL-2026-6523.json","indicators":{"package_integrity":[{"filename":"express-plugin-1.6.6.tgz","hashes":{"sha1":"02dbd0ec2dcd58a51566d415265b44123e3a60db","sha512_sri":"sha512-Fu6LvzXbDNuvgjpSHNZy91mcmbER26jnB3vpFN6OcTaODQxV86D3fSBGYNXj/M44pzgB2MwXoCw7O06yf/5Kqg=="}}],"evidence_files":[{"tlsh":"e641edd924fa6125c1a3e1810f8fc409b22ae1133358cac4b98c53546fe07b8a7f2f4a","sha256":"cb40d0001069f499b51beaba992eaf01247958017ebd217ac6421c7650828f9f","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}