npm

routing-controls @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-5635

Ecosystem

npm

Summary

Package name routing-controls is a one-edit variant of the popular routing-controllers package (~1M weekly downloads), and the README and source are a near-verbatim clone. Inside build/cjs/RoutingControllers.js lines 84-88, the executeAction method contains a non-standard code path that fires on every POST action: it resolves ./util/lib.min.js , deletes the entry from require.cache , and re-requires the file. In version 1.0.1 the target file build/cjs/util/lib.min.js (and its esm2015 sibling) is a 100-byte stub containing only console.log('[routing-controls] POST route invoked at ' + new Date().toISOString()); , so no actively harmful behavior fires today. However, the misleading .min.js suffix on a stub file paired with a cache-busting reload on every POST is the structural shape of a hot-swappable trigger — a follow-up version could replace lib.min.js with arbitrary code that runs on every POST request in any application using this library. The current version exhibits no exfiltration, no remote fetch, no install-time execution, and no credential access; the harm is latent and depends on a future republication.

Source: amazon-inspector (bcd98c45663ebd03d8f553589ef12e33bae9518be150ef7dca94881592a1827d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.