MAL-2026-6568

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mocha-test/MAL-2026-6568.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6568
Published
2026-06-29T04:25:49Z
Modified
2026-06-29T07:16:44.168924729Z
Summary
Malicious code in express-mocha-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (01d87351be0d9f68d73ec05867e55fe5712d4885fa76c70c5ec9b003ef512825)

express-mocha-test@0.0.1 declares a postinstall lifecycle hook that loads the package's main module, which calls fetch() against an anonymous ngrok-free.app tunnel (https://2939e69fc408.ngrok-free.app/stats) and passes the response body directly to eval(). This executes attacker-controlled JavaScript on any machine that runs npm install for this package, with no pinning, integrity check, or scoping. The destination is an ephemeral, mutable, attacker-operated tunnel — not a registry, not a publisher domain. Package metadata impersonates well-known maintainers of the express and mocha projects (author field set to 'TJ Holowaychuk'), and the stated description ('Integrate redis with cookies') does not match the shipped behavior, indicating deliberate impersonation rather than misconfiguration.

Source: ossf-package-analysis (29f25ba9eae37a7b135fdd249bed8152a0eef931ba2934f5cb08ed07638ffb88)

The OpenSSF Package Analysis project identified 'express-mocha-test' @ 0.0.1 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "29f25ba9eae37a7b135fdd249bed8152a0eef931ba2934f5cb08ed07638ffb88",
            "import_time": "2026-06-29T05:07:00.11649953Z",
            "modified_time": "2026-06-29T04:25:49Z",
            "source": "ossf-package-analysis",
            "versions": [
                "0.0.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "01d87351be0d9f68d73ec05867e55fe5712d4885fa76c70c5ec9b003ef512825",
            "import_time": "2026-06-29T07:09:09.347549058Z",
            "modified_time": "2026-06-29T05:31:21Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007742",
            "versions": [
                "0.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / express-mocha-test

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "express-mocha-test-0.0.1.tgz",
            "hashes": {
                "sha1": "14ab80976036d18020a68805113236ad9d1e8967",
                "sha512_sri": "sha512-pRGzOB0l43tBRzrNGLwrnpXWvO6TnZgU8StVOfQXO9ITNzPqLazaNWJDO7p3mm0hiIdKmuraBbpupPJgKpyeUg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "14e0d8991cbd21759970e7ba67172205ed52962b1b80970673ddc5480f35a10c04ed4d",
            "sha256": "078fb426fe2bf73a75d8f04bead875859fb62ab254a71b6ca5a1f41cf4b704ea",
            "path": "index.cjs"
        },
        {
            "tlsh": "81f0dd22ee148a2718f4476948bc4002fb515b1f4070dc0f32ff2a6c0bd2177185af16",
            "sha256": "69c90291ad0967c68e10a93ae963686834420235180f6673c3a026c2a6808580",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/express-mocha-test/MAL-2026-6568.json"