VDB
EN

MAL-2026-10414

Malicious code in express-request-engine (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (650f45223a2abc34039d499274c1cce89abdf6b4be571d326b73e2b10da48e30) The package's main entry (index.js) presents itself as a `normalize-path` utility but on module load calls initPlugin() at top level, which performs an HTTPS fetch to https://api.jsonbin.io/v3/b/6a4f5816f5f4af5e29762c92 and passes the response body's `record.cerookie` field into `new (Function.constructor)('require',...)`, invoking it with the consumer's own `require` function. The result is arbitrary attacker-controlled JavaScript executing with full module-loading privileges on any process that imports the package. The destination is a mutable jsonbin document under an anonymous account, so the executed code can be changed at any time by the publisher. Obscure naming (`cerookie` payload field, `bearrtoken: 'logo'` header) and the mismatch between the advertised `normalize-path` purpose and the actual network fetch + Function-constructor exec indicate deliberate concealment rather than misconfiguration.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / express-request-engine

No fixed version published yet for express-request-engine (npm). Pin to a known-safe version or switch to an alternative.

참고