MAL-2026-10505
Malicious code in express-ini (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3) package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, child_process and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via child_process.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for express-ini (npm). Pin to a known-safe version or switch to an alternative.