MAL-2026-10131
Malicious code in express-session-kit (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (076f813c0d0a60ee43f7a73f8aad609e5043cd8d92b57b5c3c3c08954accbb4f) The package impersonates the popular express-session library by copying its name pattern, author metadata (TJ Holowaychuk <tj@vision-media.ca>), and repository field (expressjs/session-kit). The library body is a verbatim copy of express-session with a dropper appended to index.js: an initServer() function invoked at module load spawns a detached, stdio-ignored `node` subprocess to run a sibling payload script. That payload (session/check.js) performs an HTTP GET to http://check-server-state.vercel.app/server/v2 with a `bearrtoken: gemini` header, and when the endpoint responds with HTTP 404 carrying a JSON `token` field, wraps that field with `new Function("require", err.response.data.token)` and immediately invokes it with the real require — granting the remote endpoint arbitrary code execution in the Node process. Delivery via a 404 error body is a covert channel designed to look like a benign failed probe. Although the current dropper references./lib/check.js while the payload actually ships at./session/check.js and the spawn/path bindings are not imported (so the current tarball's dropper would throw before spawning), the second-stage payload file is present, complete, and directly requireable; any consumer that requires the payload — or a trivial fix in a subsequent version — makes the RCE live. Combined with the typosquat cover, this is a supply-chain attack targeting developers who mistype express-session.
## Source: ghsa-malware (44b1bb99fbd84a5cd6a12254371c4689b14a2b8f679157961cd58e26b87b26f9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for express-session-kit (npm). Pin to a known-safe version or switch to an alternative.