MAL-2026-3763

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-utils/MAL-2026-3763.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3763

Published

2026-05-14T19:25:05Z

Modified

2026-05-15T07:51:50.423105Z

Summary

Malicious code in exxpress-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dfa81f7c144d5feeea9c49254fbeec68f8271460d4a51efd5757a62b251c05f2)

The package declares scripts.postinstall pointing at postinstall.js, which runs automatically on npm install. The script performs three attacker-benefit actions concurrently: (1) reads ~/.npmrc, ~/.env, and ~/.git-credentials and extracts npm _authToken / npm_<36> tokens, NPM_TOKEN, NPM_AUTH_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, and git URLs with embedded credentials; (2) enumerates Chrome / Brave / Edge / Chromium / Vivaldi / Opera profile directories under Local Extension Settings/<walletId> for 71 hardcoded crypto-wallet extension IDs (MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn, Phantom, Coinbase Wallet, Trust Wallet, Ledger, Trezor, etc.) and regex-scans their logs for vault/seed/mnemonic/privateKey/password patterns; (3) walks ~/Documents, ~/Desktop, ~/Downloads for files matching crypto-keyword names and reads their contents. Harvested JSON is POSTed to the hardcoded C2 http://149.28.127.35:8888 over plain HTTP via http.request. The package name is a double-x typosquat of express; the advertised purpose is 'utility helpers', index.js is a no-op stub whose description contradicts the package name ('Lodash JavaScript utilities bundle'), and postinstall.js contains self-incriminating header comments ('Token harvester + Crypto wallet scanner', 'Silent. Zero trace.'). Every structural fingerprint of a credential/wallet stealer is present: hardcoded C2 bound to http.request in a lifecycle hook, browser wallet-extension-ID lookup, seed-phrase directory scanner, and token-regex extraction from ~/.npmrc / ~/.env / ~/.git-credentials.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-14T19:25:06Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "08e76c5ca8cc5c0195c3de13bcbc5d0c24749a44d4b2247c4d806f030832de50",
            "id": "IN-MAL-2026-002688",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.611881698Z"
        },
        {
            "modified_time": "2026-05-14T19:25:05Z",
            "versions": [
                "1.0.3"
            ],
            "sha256": "2d563e947aaa4be7d07bdcae318c2ed0573a845e5ab884a827caf504adb11e60",
            "id": "IN-MAL-2026-002686",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.531634854Z"
        },
        {
            "modified_time": "2026-05-14T19:25:06Z",
            "versions": [
                "1.0.5"
            ],
            "sha256": "69b7c9d7f8fe0f24a8a5cda07380a442d770c177e41eefb6e207c2d81c0115db",
            "id": "IN-MAL-2026-002687",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.582226723Z"
        },
        {
            "modified_time": "2026-05-14T19:25:05Z",
            "versions": [
                "1.0.2"
            ],
            "sha256": "dfa81f7c144d5feeea9c49254fbeec68f8271460d4a51efd5757a62b251c05f2",
            "id": "IN-MAL-2026-002685",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.467666897Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / exxpress-utils

Package

Name: exxpress-utils; View open source insights on deps.dev
Purl: pkg:npm/exxpress-utils

Affected ranges

Affected versions

1.*

1.0.2

1.0.3

1.0.5

2.*

2.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "d8352ed570f8674227e3a1b8e812d493724370d4fc69dbacdedbbb4584d75650",
            "tlsh": "80522998b8be012e592385eba25f11100416fc477482fca8fbdd46449f4e24d39bb3bd",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-2otnhN603t8zSzefbbmLdDXhhArxi1ZepnNMIkhJu0zXG6swW/F8mIcMtjvYGkmvvDiaw+c0OTakIVnp0MCoMA==",
                "sha1": "a63db372fd483d42c5d2e32c6140c9e648347c94"
            },
            "filename": "exxpress-utils-2.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exxpress-utils/MAL-2026-3763.json"