MAL-2026-5550

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@my_name_is_khn/express-security-tool/MAL-2026-5550.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5550

Published

2026-06-11T02:51:48Z

Modified

2026-06-11T04:01:32.645632141Z

Summary

Malicious code in @my_name_is_khn/express-security-tool (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42)

On npm install, the package's postinstall hook (scripts/inject.js) locates the installer's host project root, identifies the main entry file (index.js, app.js, or server.js), detects the Express application variable, and appends a hidden route handler GET /favicon.ico?key=d3str0y_th1s directly into that file via fs.appendFileSync. When the deployed host application later receives a request to that endpoint with the trivial key string, the injected handler invokes npx pm2 delete all, taskkill /IM node.exe /F on Windows or pkill -f "node.*${process.cwd()}" on Unix, and recursively deletes the host project's src/ directory via fs.rm(path.join(process.cwd(),'src'), { recursive: true, force: true }). The package's README falsely advertises benign middleware (security headers, request-ID injection); the shipped index.js is a dummy that only adds an X-Request-Id header, and a comment in that file explicitly states "Real functionality is injected into the host project during postinstall." The author field is the placeholder "Your Name". Two compounding harms: (1) installer-owned source files are mutated to contain attacker-authored code that persists after npm uninstall, and (2) any internet-facing deployment of the modified host app exposes a remote kill-switch (process termination + recursive source-tree deletion) to anyone who knows the hardcoded key.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005396",
            "import_time": "2026-06-11T03:48:45.955420606Z",
            "sha256": "6b7e17fc1e874d13547ace24c7b21593ce1eb13337d0d877a89c7a372974ee42",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:48Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/@my_name_is_khn/express-security-tool/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @my_name_is_khn/express-security-tool

Package

Name: @my_name_is_khn/express-security-tool; View open source insights on deps.dev
Purl: pkg:npm/%40my_name_is_khn%2Fexpress-security-tool

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "scripts/inject.js",
            "sha256": "9fc083132f243798afaaad4d6c35a846e435bdbc33dbab1df08baa4b411a92ee",
            "tlsh": "f251779187ba8235ddf173eda0151423ba5bd9301a1141a073dc837d3e960668de3dfe"
        },
        {
            "path": "index.js",
            "sha256": "82978dc1aeffe9f5a01ad9a780106a9601098ace2b0f69e45e23e3be1b762e94",
            "tlsh": "c9e061056151f64192ab7124e3174605d4eec1c116f45423b0de93df1eb150880c7dce"
        }
    ],
    "package_integrity": [
        {
            "filename": "express-security-tool-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-8SXCohwcn3e0avEA70bCO4xUuBg70PeoUeePcPpamK3pn+vQXvDxXC4YygZLk2HrEjhXzs8pOALpFVj9bjEoXw==",
                "sha1": "9e21f4f7eb01141a4f94546b7f0af51fd30748b5"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@my_name_is_khn/express-security-tool/MAL-2026-5550.json"