OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10505 confirms this npm version as malicious. package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals)...
Advisory
MAL-2026-10505
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in express-ini (npm)
Details
package.json declares postinstall=`node index.js`. index.js is heavily obfuscated (obfuscator.io rotated string-array with RC4-based decoders hiding all identifiers and literals). At install time the script imports fs, os, path, crypto, child_process and a network module, installs silent uncaughtException/unhandledRejection handlers to suppress errors, performs a remote lookup, splits the response on ':', base64-decodes it, AES-decrypts it via crypto.createDecipheriv, writes the decrypted bytes to a file under process.cwd(), and executes it via child_process.execSync with windowsHide:true. The package name suggests an Express.js utility and the README describes an unrelated 'Safe Wrapper Module', but the only shipped code is the dropper — the name and README are cover for install-time remote code execution against the installer's machine.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node index.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgindex.jsView file
1function c(b,d){b=b-(0xb35+0x1169+-0x1bb8);var e=a();var f=e[b];if(c['vJBrzO']===undefined){var g=function(l){var m='[redacted]+...
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
index.jsView on unpkg · L1Findings
2 High1 Medium2 Low
HighInstall Time Lifecycle Scriptspackage.json
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings