express-plugin @1.6.6

Summary

On module load, index.js auto-invokes initPlugin(), which HTTP-GETs https://jsonkeeper.com/b/PRA3O, parses the JSON response, and passes the response's cookie field to Function.constructor with require exposed, then immediately invokes the resulting function. Any process that does require('express-plugin') executes arbitrary JavaScript pulled from a mutable third-party paste host with full Node require privileges, giving the operator of that paste full control of the installer's machine. The file is headed as normalize-path (ES6 safe version) and exports an unused normalizePath function as decoy; the package name express-plugin is cover framing intended to make the package look like a benign Express middleware. The remote payload is attacker-mutable: today's content can be swapped for credential theft, persistence, or any other action at any time without republishing the package.

Source: amazon-inspector (183cda19ef38d3451b375669fb460577a83217091d96d7fc11d5bf33679c8003)