MAL-2026-10063

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-router-engine/MAL-2026-10063.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10063
Published
2026-07-09T15:55:17Z
Modified
2026-07-09T21:16:56.297066139Z
Summary
Malicious code in express-router-engine (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70)

The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an Authentication header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via childprocess.exec with windowsHide:true. All module names (fs, os, path, childprocess, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (express-router-engine) also mismatches its own description text (express-route-engine is a lightweight routing framework...), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.6.5"
            ],
            "id": "IN-MAL-2026-009285",
            "modified_time": "2026-07-09T15:55:17Z",
            "import_time": "2026-07-09T16:20:57.377839426Z",
            "sha256": "49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "3.6.6"
            ],
            "id": "IN-MAL-2026-009322",
            "import_time": "2026-07-09T17:19:23.681830894Z",
            "modified_time": "2026-07-09T16:50:00Z",
            "sha256": "8ccf7c2321da04d59215e49cc91b2dc6da1cc66606ff968d968f397286f1ed3c",
            "source": "amazon-inspector"
        },
        {
            "sha256": "f8a4b520ba7169b1a71e922c24e8b5f70d7c5205b0c21b808fda327d907f0fe4",
            "id": "IN-MAL-2026-009323",
            "import_time": "2026-07-09T17:19:23.829525114Z",
            "modified_time": "2026-07-09T16:50:10Z",
            "versions": [
                "3.6.7"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "ff7183244d992f74d03d08e21630f71924ce0c3990ea3bdaadd47f0adc8c390f",
            "id": "IN-MAL-2026-009401",
            "import_time": "2026-07-09T21:03:51.095354131Z",
            "modified_time": "2026-07-09T20:46:50Z",
            "versions": [
                "3.6.8"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / express-router-engine

Package

Name
express-router-engine
View open source insights on deps.dev
Purl
pkg:npm/express-router-engine

Affected ranges

Affected versions

3.*
3.6.5
3.6.6
3.6.7
3.6.8

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "85b283c93fd1b4a05223b0f76a1ba5a5e1396c98b3cc8449f7e7f058fd58314e0a5b68",
            "sha256": "d5fca13ecf8936e4be2201d722b131c67d6ec5cd5e4087e2189440c08ddf5f63",
            "path": "index.js"
        },
        {
            "tlsh": "3ff020386a0500a705cb02a37ca0509aebb1cf4f25c17c0517a7c5b852d3f721dbe30c",
            "sha256": "c2e9b31bc6e2f5b6f89fe2613078548b1f9b9e27abece5c3164d612a067eab1c",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "express-router-engine-3.6.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-iz18+fsMQ6+psHCnfGToBJfTW4M6jFZmQO20RsqQUZVoUzXTShGBHz4tlJuO55lNSJeZcxRF1Ssd6wmpe3uAng==",
                "sha1": "4cbee8284bfe88cc45a591125af5cf29c43641af"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-router-engine/MAL-2026-10063.json"