-= Per source details. Do not edit below this line.=-
The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an Authentication header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via childprocess.exec with windowsHide:true. All module names (fs, os, path, childprocess, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (express-router-engine) also mismatches its own description text (express-route-engine is a lightweight routing framework...), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.
{
"malicious-packages-origins": [
{
"versions": [
"3.6.5"
],
"id": "IN-MAL-2026-009285",
"modified_time": "2026-07-09T15:55:17Z",
"import_time": "2026-07-09T16:20:57.377839426Z",
"sha256": "49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70",
"source": "amazon-inspector"
},
{
"versions": [
"3.6.6"
],
"id": "IN-MAL-2026-009322",
"import_time": "2026-07-09T17:19:23.681830894Z",
"modified_time": "2026-07-09T16:50:00Z",
"sha256": "8ccf7c2321da04d59215e49cc91b2dc6da1cc66606ff968d968f397286f1ed3c",
"source": "amazon-inspector"
},
{
"sha256": "f8a4b520ba7169b1a71e922c24e8b5f70d7c5205b0c21b808fda327d907f0fe4",
"id": "IN-MAL-2026-009323",
"import_time": "2026-07-09T17:19:23.829525114Z",
"modified_time": "2026-07-09T16:50:10Z",
"versions": [
"3.6.7"
],
"source": "amazon-inspector"
},
{
"sha256": "ff7183244d992f74d03d08e21630f71924ce0c3990ea3bdaadd47f0adc8c390f",
"id": "IN-MAL-2026-009401",
"import_time": "2026-07-09T21:03:51.095354131Z",
"modified_time": "2026-07-09T20:46:50Z",
"versions": [
"3.6.8"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "85b283c93fd1b4a05223b0f76a1ba5a5e1396c98b3cc8449f7e7f058fd58314e0a5b68",
"sha256": "d5fca13ecf8936e4be2201d722b131c67d6ec5cd5e4087e2189440c08ddf5f63",
"path": "index.js"
},
{
"tlsh": "3ff020386a0500a705cb02a37ca0509aebb1cf4f25c17c0517a7c5b852d3f721dbe30c",
"sha256": "c2e9b31bc6e2f5b6f89fe2613078548b1f9b9e27abece5c3164d612a067eab1c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "express-router-engine-3.6.5.tgz",
"hashes": {
"sha512_sri": "sha512-iz18+fsMQ6+psHCnfGToBJfTW4M6jFZmQO20RsqQUZVoUzXTShGBHz4tlJuO55lNSJeZcxRF1Ssd6wmpe3uAng==",
"sha1": "4cbee8284bfe88cc45a591125af5cf29c43641af"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-router-engine/MAL-2026-10063.json"