{"id":"MAL-2026-6543","summary":"Malicious code in express-initial (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095)\npackage.json declares `\"postinstall\": \"node index.js\"`, so `npm install express-initial` automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts via `crypto.createDecipheriv('aes-256-...', \u003csha256-derived key\u003e, Buffer.from(iv,'base64'))`, writes the decrypted bytes into `path.join(os.tmpdir(), \u003cname\u003e)` with flag 'w+', and immediately invokes the dropped file via `child_process.exec`/`execFile` with `windowsHide: true`. This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popular `express` framework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper.\n","modified":"2026-06-26T22:46:40.509248856Z","published":"2026-06-26T21:40:14Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007670","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-26T21:40:14Z","versions":["12.1.9"],"import_time":"2026-06-26T22:30:41.298649551Z","sha256":"1ba96d5070924af79839d4dbc950b28c3f59ad9515890cf83f1d631a6678c120","source":"amazon-inspector"},{"id":"IN-MAL-2026-007671","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"versions":["12.1.10"],"sha256":"a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095","import_time":"2026-06-26T22:30:41.346416062Z","modified_time":"2026-06-26T21:40:25Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-initial/v/12.1.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/express-initial/v/12.1.10"}],"affected":[{"package":{"name":"express-initial","ecosystem":"npm","purl":"pkg:npm/express-initial"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["12.1.9","12.1.10"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"e60bc20725873207cc80e2d5ad3b47a5e4acbea4","sha512_sri":"sha512-VDv/DISstAYC5rkKglhg5QD1Tc6GX/j1wpRT1AKh/p0MtIwf8Ta8TtFbVUAgfgDTJfI0s1kZ4BpZBTPJ8f3R/g=="},"filename":"express-initial-12.1.9.tgz"}],"evidence_files":[{"sha256":"9ecade5bfc69696b2077c067bcb38d77ca75563ad1432b8a43acef5e87f0010b","tlsh":"c682778c3fd1b0a15633b0f77a1b6496f1795c88b38d8948f796f058fd28318e496b68","path":"index.js"},{"sha256":"1a736723cd34a5e32c8301b6a6858e3329712eeb6306f3f3962e5cb5f64cf9e5","tlsh":"9bd097220e920a3366b046962c3a818bb2a04f2f24307c0b71ff053c42e33318cee718","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-initial/MAL-2026-6543.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}