express-request-engine @3.6.3
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10414
Ecosystem
npm
Summary
The package's main entry (index.js) presents itself as a normalize-path utility but on module load calls initPlugin() at top level, which performs an HTTPS fetch to https://api.jsonbin.io/v3/b/6a4f5816f5f4af5e29762c92 and passes the response body's record.cerookie field into new (Function.constructor)('require',...) , invoking it with the consumer's own require function. The result is arbitrary attacker-controlled JavaScript executing with full module-loading privileges on any process that imports the package. The destination is a mutable jsonbin document under an anonymous account, so the executed code can be changed at any time by the publisher. Obscure naming ( cerookie payload field, bearrtoken: 'logo' header) and the mismatch between the advertised normalize-path purpose and the actual network fetch + Function-constructor exec indicate deliberate concealment rather than misconfiguration.
Source: amazon-inspector (650f45223a2abc34039d499274c1cce89abdf6b4be571d326b73e2b10da48e30)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.