npm

express-session-kit @1.18.1

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10131

Ecosystem

npm

Summary

The package impersonates the popular express-session library by copying its name pattern, author metadata (TJ Holowaychuk <tj@vision-media.ca>), and repository field (expressjs/session-kit). The library body is a verbatim copy of express-session with a dropper appended to index.js: an initServer() function invoked at module load spawns a detached, stdio-ignored node subprocess to run a sibling payload script. That payload (session/check.js) performs an HTTP GET to http://check-server-state.vercel.app/server/v2 with a bearrtoken: gemini header, and when the endpoint responds with HTTP 404 carrying a JSON token field, wraps that field with new Function("require", err.response.data.token) and immediately invokes it with the real require — granting the remote endpoint arbitrary code execution in the Node process. Delivery via a 404 error body is a covert channel designed to look like a benign failed probe. Although the current dropper references./lib/check.js while the payload actually ships at./session/check.js and the spawn/path bindings are not imported (so the current tarball's dropper would throw before spawning), the second-stage payload file is present, complete, and directly requireable; any consumer that requires the payload — or a trivial fix in a subsequent version — makes the RCE live. Combined with the typosquat cover, this is a supply-chain attack targeting developers who mistype express-session.

Source: amazon-inspector (076f813c0d0a60ee43f7a73f8aad609e5043cd8d92b57b5c3c3c08954accbb4f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.