MAL-2026-6543
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-initial/MAL-2026-6543.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6543
- Published
- 2026-06-26T21:40:14Z
- Modified
- 2026-06-26T22:46:40.509248856Z
- Summary
- Malicious code in express-initial (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095)
package.json declares
"postinstall": "node index.js", sonpm install express-initialautomatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts viacrypto.createDecipheriv('aes-256-...', <sha256-derived key>, Buffer.from(iv,'base64')), writes the decrypted bytes intopath.join(os.tmpdir(), <name>)with flag 'w+', and immediately invokes the dropped file viachild_process.exec/execFilewithwindowsHide: true. This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popularexpressframework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "12.1.9" ], "source": "amazon-inspector", "modified_time": "2026-06-26T21:40:14Z", "sha256": "1ba96d5070924af79839d4dbc950b28c3f59ad9515890cf83f1d631a6678c120", "id": "IN-MAL-2026-007670", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-26T22:30:41.298649551Z" }, { "versions": [ "12.1.10" ], "source": "amazon-inspector", "modified_time": "2026-06-26T21:40:25Z", "sha256": "a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095", "id": "IN-MAL-2026-007671", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-26T22:30:41.346416062Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / express-initial
Package
- Name
- express-initial
- View open source insights on deps.dev
- Purl
- pkg:npm/express-initial
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "express-initial-12.1.9.tgz",
"hashes": {
"sha512_sri": "sha512-VDv/DISstAYC5rkKglhg5QD1Tc6GX/j1wpRT1AKh/p0MtIwf8Ta8TtFbVUAgfgDTJfI0s1kZ4BpZBTPJ8f3R/g==",
"sha1": "e60bc20725873207cc80e2d5ad3b47a5e4acbea4"
}
}
],
"evidence_files": [
{
"path": "index.js",
"tlsh": "c682778c3fd1b0a15633b0f77a1b6496f1795c88b38d8948f796f058fd28318e496b68",
"sha256": "9ecade5bfc69696b2077c067bcb38d77ca75563ad1432b8a43acef5e87f0010b"
},
{
"path": "package.json",
"tlsh": "9bd097220e920a3366b046962c3a818bb2a04f2f24307c0b71ff053c42e33318cee718",
"sha256": "1a736723cd34a5e32c8301b6a6858e3329712eeb6306f3f3962e5cb5f64cf9e5"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-initial/MAL-2026-6543.json"