VDB
KO

MAL-2026-10063

Malicious code in express-router-engine (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70) The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an `Authentication` header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with `windowsHide:true`. All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name (`express-router-engine`) also mismatches its own description text (`express-route-engine is a lightweight routing framework...`), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / express-router-engine

No fixed version published yet for express-router-engine (npm). Pin to a known-safe version or switch to an alternative.

References