MAL-2026-10505

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-ini/MAL-2026-10505.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10505
Published
2026-07-13T21:50:05Z
Modified
2026-07-13T22:31:56.739889912Z
Summary
Malicious code in express-ini (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3)

package.json declares postinstall=node index.js. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, childprocess and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via childprocess.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:50:05Z",
            "versions": [
                "12.1.10"
            ],
            "sha256": "901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3",
            "id": "IN-MAL-2026-010333",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T22:21:56.286984271Z"
        }
    ]
}
References
Credits

Affected packages

npm / express-ini

Package

Affected ranges

Affected versions

12.*
12.1.10

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "23b285cc3fc2b0908627b0f76a5b65a5e1396c98b3cc8449f7a7f458fd58304d469b68",
            "sha256": "07450cb70e48b50fa840e2871b44d6022f0bbb41a0bf1d7ac1e0c2fdeb7fd061",
            "path": "index.js"
        },
        {
            "tlsh": "44d0a7260e611a3366b547966c7a928ab2a14f2f2430ac0771ff153843d37729cdeb19",
            "sha256": "1805e3cd2082bae30c984e44f12d013d7c0763b2ea7be102a5d2099709f7b7e4",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "ff7476b43f156b43f92e1afaf2333c7097c06198",
                "sha512_sri": "sha512-gXINKMFI+klTxpAR/rt4Kj/EsfK9Is6I7Xy4PazB4nFM5gF6q+DC4fztOKRKXI6kCyJm7SYjDdVxZ8Ojzp3uXw=="
            },
            "filename": "express-ini-12.1.10.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-ini/MAL-2026-10505.json"