MAL-2026-3762
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-tool/MAL-2026-3762.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3762
- Published
- 2026-05-14T19:25:49Z
- Modified
- 2026-05-15T07:51:49.586556Z
- Summary
- Malicious code in exxpress-tool (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (378e423b00c08a371fbae1c77360685d2277e502e9875caa53fb20f58a39f396)
The package name
exxpress-toolis a one-character edit of the widely-usedexpresspackage. Onnpm install, the declaredscripts.postinstallrunspostinstall.js, which reads~/.npmrc(extracting_authTokenandnpm_[A-Za-z0-9]{36}tokens),~/.git-credentials, and~/.env(matching env-var names against token/secret/password/api/aws/azure/gcp/stripe/slack patterns and EVM private-key shapes), bundles the results together withos.hostname()andos.userInfo(), and POSTs the JSON to the hardcoded bare-IP endpointhttp://149.28.127.35:8888over plain HTTP. The same script iterates a hardcoded list of ~71 Chrome/Brave/Edge crypto-wallet extension IDs (MetaMask, Phantom, Coinbase Wallet, Trust, Exodus, Ledger Live, Trezor, etc.), reads each wallet'sLocal Extension SettingsLevelDB.logfiles, and regex-matches onvault,mnemonic,seed,privateKey,encrypted. It also recursively walks~/Documents,~/Desktop,~/Downloads,~/OneDrive,~/Dropbox, and~/Google Drivesearching for BIP-39 seed phrases and0x-prefixed private keys. The advertised library code (index.js) is an empty stub; the author's own in-source comments (The real payload is in postinstall.js,Silent. Zero trace.,Token harvester + Crypto wallet scanner) confirm intent. Any developer or CI environment that installs this package will have npm publish tokens, git credentials, environment secrets, and browser wallet data shipped to the attacker. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002761", "import_time": "2026-05-15T07:37:19.354581629Z", "sha256": "070d78eff6164cdeada249e08628e36f876389ee402c2d561be8e0e7dd131310", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:50Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-002772", "import_time": "2026-05-15T07:37:19.501041282Z", "sha256": "378e423b00c08a371fbae1c77360685d2277e502e9875caa53fb20f58a39f396", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:59Z", "versions": [ "1.0.5" ] }, { "id": "IN-MAL-2026-002760", "import_time": "2026-05-15T07:37:19.314041988Z", "sha256": "5c2f0be4715c05e6da80dc17203b6c4707729f4d622cb3247d33f164d93e4ba1", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:49Z", "versions": [ "1.0.2" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / exxpress-tool
Package
- Name
- exxpress-tool
- View open source insights on deps.dev
- Purl
- pkg:npm/exxpress-tool
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "6a5dffd7836eec6f4271dac9ba85466a40bc98ca2b7609172dfce52d0cb70246",
"tlsh": "f4a165d558a068145dab82e53747b020ae15e183370eddf0f74c0aa48fc0e69e5f3bda"
},
{
"path": "package.json",
"sha256": "4952198f5ad13e5dbefe4eef738b2b8da9faaddf70a6f6b01f93d767cd42f2f5",
"tlsh": "94e0c2208e628a3334c05a531e5b464965714a870044bc0837d7157c4b9e3b648fe21e"
}
],
"package_integrity": [
{
"filename": "exxpress-tool-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-jCzO9BzZ/sIRO8YFJZEcy707vaDhVK6eibsvBREEP8dGOqtRreWUhWLArnpu5Ngxun63SiWLMpM0XHfrsJpQag==",
"sha1": "98aab45c427ed544a115348e9648e14b1bd8cdb1"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-tool/MAL-2026-3762.json"