MAL-2026-6523

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-plugin/MAL-2026-6523.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6523

Published

2026-06-26T14:35:03Z

Modified

2026-06-26T15:16:36.295026277Z

Summary

Malicious code in express-plugin (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003)

On module load, index.js auto-invokes initPlugin(), which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's cookie field to Function.constructor with require exposed, then immediately invokes the resulting function. Any process that does require('express-plugin') executes arbitrary JavaScript pulled from a mutable third-party paste host with full Node require privileges, giving the operator of that paste full control of the installer's machine. The file is headed as normalize-path (ES6 safe version) and exports an unused normalizePath function as decoy; the package name express-plugin is cover framing intended to make the package look like a benign Express middleware. The remote payload is attacker-mutable: today's content can be swapped for credential theft, persistence, or any other action at any time without republishing the package.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.6.6"
            ],
            "modified_time": "2026-06-26T14:35:03Z",
            "sha256": "183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003",
            "id": "IN-MAL-2026-007607",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T14:59:21.375612638Z"
        }
    ]
}

References

https://www.npmjs.com/package/express-plugin/v/1.6.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / express-plugin

Package

Name: express-plugin; View open source insights on deps.dev
Purl: pkg:npm/express-plugin

Affected ranges

Affected versions

1.*

1.6.6

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-plugin/MAL-2026-6523.json"

indicators

{
    "package_integrity": [
        {
            "filename": "express-plugin-1.6.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-Fu6LvzXbDNuvgjpSHNZy91mcmbER26jnB3vpFN6OcTaODQxV86D3fSBGYNXj/M44pzgB2MwXoCw7O06yf/5Kqg==",
                "sha1": "02dbd0ec2dcd58a51566d415265b44123e3a60db"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "e641edd924fa6125c1a3e1810f8fc409b22ae1133358cac4b98c53546fe07b8a7f2f4a",
            "sha256": "cb40d0001069f499b51beaba992eaf01247958017ebd217ac6421c7650828f9f"
        }
    ]
}