MAL-2026-6229

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/routecraft/MAL-2026-6229.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6229
Published
2026-06-19T15:55:54Z
Modified
2026-06-19T17:01:45.703587918Z
Summary
Malicious code in routecraft (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0)

routecraft@4.2.0 ships verbatim Express.js source (lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js — same layout, comments, and exports including createApplication, Router, and json/raw/text/urlencoded/static middleware) under a different package name and author with no Express attribution, presenting itself as an original 'lightweight HTTP routing framework'. package.json declares "preinstall": "node./lib/configure.js". lib/configure.js performs no compilation despite logging '...Skipping native addon compilation' — the package ships no native sources (no binding.gyp, no.cc/.cpp/.rs files). Instead, lines 10-12 contain if (os.platform() === 'win32' && v >= 18) { require('procwire'); }, conditionally loading the obscure procwire dependency (declared as ^1.3.0) only on Windows with Node >= 18. The false cover story, the platform gate, and the delegation of the executed code to an unpinned transitive dependency together form the standard pattern for shifting a malicious payload off the parent package so it appears clean while installers on Windows execute whatever procwire ships at install time.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "35254023a0071db579346eebe9f0e355a847a6d7f4320f600354c220f00ba646",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:55:54Z",
            "id": "IN-MAL-2026-007085",
            "versions": [
                "5.0.0"
            ],
            "import_time": "2026-06-19T16:53:21.348902647Z"
        },
        {
            "sha256": "a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:57:50Z",
            "versions": [
                "4.2.0"
            ],
            "id": "IN-MAL-2026-007086",
            "import_time": "2026-06-19T16:53:21.405061587Z"
        }
    ]
}
References
Credits

Affected packages

npm / routecraft

Package

Name
routecraft
View open source insights on deps.dev
Purl
pkg:npm/routecraft

Affected ranges

Affected versions

4.*
4.2.0
5.*
5.0.0

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/routecraft/MAL-2026-6229.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "e0fb0ac2cd9a864482a63de72821462ad5e2fa3f73b9ea5229c49cee0d0bafc8",
            "tlsh": "dae020cc9bfde556397526c6181602176555c0210e05d4d06534d1f57f90d7017a6df9",
            "path": "lib/configure.js"
        },
        {
            "sha256": "0ac99f23625ab512ad4170e1658a4e21f69359e01c89bd0dd507cec2c52e27e2",
            "tlsh": "5b31f0c7b5c0b2a917a375fc473ad1c16caed2fa6045d4ba40d4d2f82c8140dd385ed4",
            "path": "lib/routecraft.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Phu3S1BH9fDl7mrSe5euILuJkQl91/7pDl/fD51upMZAIyDw9tZC8Qu50tR0V4N0CM41A+71CiBhEcqIUiWrIw==",
                "sha1": "db1b27737dd2d0cbbbbc792676be52a623911a15"
            },
            "filename": "routecraft-5.0.0.tgz"
        }
    ]
}