express-ini @12.1.10
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10505
Ecosystem
npm
Summary
package.json declares postinstall= node index.js . index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, child_process and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via child_process.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
Source: amazon-inspector (901c68ddbe24451843ae250e4fa71b40b1d4f86d1c81a62bc8f313a55701b7d3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.