npm

express-router-engine @3.6.8

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10063

Ecosystem

npm

Summary

The sole shipped file index.js is a heavily obfuscated (RC4 + base64 string-array, 337-entry rotated array, control-flow flattening) IIFE that executes at require() time. On load it constructs a URL from encrypted string constants plus the package version, issues an HTTP GET with an Authentication header, splits the response body on ':' to derive a symmetric key and IV, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under a temp/home path, and executes that file via child_process.exec with windowsHide:true . All module names (fs, os, path, child_process, http client), the fetch URL, header name/value, crypto algorithm, and temp path components are stored encrypted in the string array — the obfuscation exists purely to hide the C2 URL and payload pipeline. The package name ( express-router-engine ) also mismatches its own description text ( express-route-engine is a lightweight routing framework... ), consistent with name-confusion against a legitimate routing helper. Any consumer that requires this package fetches and executes attacker-controlled code on the installer's machine.

Source: amazon-inspector (49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.