MAL-2026-4556
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-enrouten-async/MAL-2026-4556.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4556
- Published
- 2026-05-22T18:36:43Z
- Modified
- 2026-05-26T06:02:31.390441540Z
- Summary
- Malicious code in express-enrouten-async (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e)
Package name mimics the legitimate
express-enroutenroute-discovery library, but the shippedindex.jsonly hardcodes two demo routes rather than implementing automatic route discovery. The malicious mechanism is inpackage.json, which declares"node-fetch": "https://registry.ctzbg.com/express-enrouten-async/node-fetch"— a direct URL dependency pointing at a third-party, non-npm registry under a path namespaced to this package. Onnpm install, npm fetches and installs whatever tarball that URL serves as the installer'snode-fetch, so any code requiringnode-fetchin the host application loads attacker-controlled, unpinned, mutable bytes from a non-publisher domain. This is dependency-confusion-style supply-chain attack: the lookalike package name lures the install, and the URL-pinned fakenode-fetchis the delivery vehicle for arbitrary code into the installer's dependency tree. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:13.476298611Z", "sha256": "5d8f74bd578bedcd5395600fd615f05122d59e27e0a59318ee226d123c67092c", "source": "amazon-inspector", "id": "IN-MAL-2026-004244", "modified_time": "2026-05-22T18:39:49Z", "versions": [ "1.4.12" ] }, { "import_time": "2026-05-26T05:52:13.372950122Z", "sha256": "6ad6c1863bd00e262f6555b8e450c471e494e2f808c9f89ba09fa248689f8a24", "id": "IN-MAL-2026-004243", "source": "amazon-inspector", "modified_time": "2026-05-22T18:39:48Z", "versions": [ "1.4.12" ] }, { "import_time": "2026-05-26T05:52:13.049225066Z", "sha256": "92452005ac9e56af97c1209041f118aa294e5a5350a6df1e943cea1fdb0e0b5b", "id": "IN-MAL-2026-004240", "source": "amazon-inspector", "modified_time": "2026-05-22T18:36:43Z", "versions": [ "1.4.11" ] }, { "import_time": "2026-05-26T05:52:12.951657109Z", "sha256": "f944bc544f9368e58a223e76e462ddec4ba325c728a233100182706ad8f0ae0e", "id": "IN-MAL-2026-004239", "source": "amazon-inspector", "modified_time": "2026-05-22T18:36:43Z", "versions": [ "1.4.11" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / express-enrouten-async
Package
- Name
- express-enrouten-async
- View open source insights on deps.dev
- Purl
- pkg:npm/express-enrouten-async
Database specific
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-PxA+Ou8SSZre8fsz5pbS4qOiIBXKOJt9J6Z9gikaLpmFgY9Xs684YaG7rnCChu5WABHi/uCkukbz2OGwaRoF+Q==",
"sha1": "6898c06be298e67752380a9773d00994a717d4b0"
},
"filename": "express-enrouten-async-1.4.12.tgz"
}
],
"evidence_files": [
{
"sha256": "c651bc94ba9a5b86e3dafeed5a59bc0ced2646ab0c64296b451d65806e2a1b5d",
"tlsh": "811148b9cc245e130ec86762fcb91153ab528d0b4c49fc0a73ae61ac874d67b24bd46c",
"path": "package.json"
},
{
"sha256": "7b1a213f97b0828dfcda8477f93168b24c468ea22da945b2052bb8486943f685",
"tlsh": "e7f081bd3eb1074555e7f3cef262d0431811cb10a509da12a3dde3f00e815565a82da4",
"path": "index.js"
}
],
"domains": [
"registry.ctzbg.com"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-enrouten-async/MAL-2026-4556.json"