-= Per source details. Do not edit below this line.=-
package.json declares postinstall=node index.js. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, childprocess and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via childprocess.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T21:50:05Z",
"versions": [
"12.1.10"
],
"sha256": "901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3",
"id": "IN-MAL-2026-010333",
"source": "amazon-inspector",
"import_time": "2026-07-13T22:21:56.286984271Z"
}
]
}{
"evidence_files": [
{
"tlsh": "23b285cc3fc2b0908627b0f76a5b65a5e1396c98b3cc8449f7a7f458fd58304d469b68",
"sha256": "07450cb70e48b50fa840e2871b44d6022f0bbb41a0bf1d7ac1e0c2fdeb7fd061",
"path": "index.js"
},
{
"tlsh": "44d0a7260e611a3366b547966c7a928ab2a14f2f2430ac0771ff153843d37729cdeb19",
"sha256": "1805e3cd2082bae30c984e44f12d013d7c0763b2ea7be102a5d2099709f7b7e4",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "ff7476b43f156b43f92e1afaf2333c7097c06198",
"sha512_sri": "sha512-gXINKMFI+klTxpAR/rt4Kj/EsfK9Is6I7Xy4PazB4nFM5gF6q+DC4fztOKRKXI6kCyJm7SYjDdVxZ8Ojzp3uXw=="
},
"filename": "express-ini-12.1.10.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-ini/MAL-2026-10505.json"