express-initial @12.1.10

Summary

package.json declares "postinstall": "node index.js" , so npm install express-initial automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts via crypto.createDecipheriv('aes-256-...', <sha256-derived key>, Buffer.from(iv,'base64')) , writes the decrypted bytes into path.join(os.tmpdir(), <name>) with flag 'w+', and immediately invokes the dropped file via child_process.exec / execFile with windowsHide: true . This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popular express framework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper.

Source: amazon-inspector (a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095)